| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250609224900.zlocskau3pgg4itz@pali> Date: Tue, 10 Jun 2025 00:49:00 +0200 From: Pali Rohár <pali@...nel.org> To: Paulo Alcantara <pc@...guebit.com> Cc: Steve French <sfrench@...ba.org>, linux-cifs@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 3/5] cifs: Fix validation of SMB2_OP_QUERY_WSL_EA response size On Sunday 08 June 2025 20:10:24 Paulo Alcantara wrote: > Pali Rohár <pali@...nel.org> writes: > > > On Sunday 08 June 2025 18:49:43 Paulo Alcantara wrote: > >> Pali Rohár <pali@...nel.org> writes: > >> > >> If we're querying all those EAs and the file has only $LXMOD, wouldn't > >> the server return empty EAs except for $LXMOD? > > > > We are using FILE_FULL_EA_INFORMATION for querying EAs, which means that > > always all stored EAs are returned. It is not 4 calls (one by one), but > > rather one call to return everything at once. > > Yes. > > > Windows server in this case returns just one EA in its response: $LXMOD EA. > > And SMB2_WSL_MIN_QUERY_EA_RESP_SIZE specifies that at least 3 EAs must > > be returned, otherwise check_wsl_eas() throws error and do not try to > > parse response. > > Can you share a trace of the server returning only a single EA in the > response when we query $LXUID, $LXGID, $LXMOD and $LXDEV? > > What I mean is that we query all those EAs when we find reparse points > on non-POSIX mounts, and if the file doesn't have them, the server still > returns the EAs but with a zero smb2_file_full_ea_info::ea_value_len. > check_wsl_eas() skips the EA when is @vlen zero. I started recording of tcpdump and I'm not able to reproduce it anymore. That is stupid. So I started investigation what happened there... And the result is that I have more changes related to EAs on my disk, and I did some tests on all of them. And due to bug in dissector of older wireshark version which I used, I wrongly interpreted the format of network EA buffer. So based on this I calculated all sizes wrongly and introduced bug in my WIP code on my disk. So it my mistake here. So please drop this one "PATCH 3/5". I re-checked the size limits and they should be correct.
Powered by blists - more mailing lists