lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241014093949.ea6egfoysw3gk5rs@pali>
Date: Mon, 14 Oct 2024 11:39:49 +0200
From: Pali Rohár <pali@...nel.org>
To: Steve French <smfrench@...il.com>
Cc: Steve French <sfrench@...ba.org>, Paulo Alcantara <pc@...guebit.com>,
	Ronnie Sahlberg <ronniesahlberg@...il.com>,
	linux-cifs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 5/6] cifs: Validate content of native symlink

On Saturday 12 October 2024 23:21:43 Steve French wrote:
> This looks like one of the more important of the fixes of this series
> - let me know if any thoughts or Reviewed-by/Acked-by on it.  I may
> try to send this earlier than the others
> 
> Pali,
> Let me know if I missed dependencies that this patch depends on

This one should be fine. I do not see any dependency for this change.

> On Sat, Oct 5, 2024 at 9:03 AM Pali Rohár <pali@...nel.org> wrote:
> >
> > Check that path buffer has correct length (it is non-zero and in UNICODE
> > mode it has even number of bytes) and check that buffer does not contain
> > null character (UTF-16 null codepoint in UNICODE mode or null byte in
> > non-unicode mode) because Linux cannot process symlink with null byte.
> >
> > Signed-off-by: Pali Rohár <pali@...nel.org>
> > ---
> >  fs/smb/client/reparse.c | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> >
> > diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
> > index 0d1cea64ab6e..fb1d16b17f38 100644
> > --- a/fs/smb/client/reparse.c
> > +++ b/fs/smb/client/reparse.c
> > @@ -544,6 +544,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
> >         int rc;
> >         int i;
> >
> > +       /* Check that length it valid for unicode/non-unicode mode */
> > +       if (!len || (unicode && (len % 2))) {
> > +               cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
> > +               rc = -EIO;
> > +               goto out;
> > +       }
> > +
> > +       /*
> > +        * Check that buffer does not contain UTF-16 null codepoint in unicode
> > +        * mode or null byte in non-unicode mode because Linux cannot process
> > +        * symlink with null byte.
> > +        */
> > +       if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||
> > +           (!unicode && strnlen(buf, len) != len)) {
> > +               cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");
> > +               rc = -EIO;
> > +               goto out;
> > +       }
> > +
> >         smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);
> >         if (!smb_target) {
> >                 rc = -ENOMEM;
> > --
> > 2.20.1
> >
> >
> 
> 
> -- 
> Thanks,
> 
> Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ