ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer

If data_offset and data_length of smb_direct_data_transfer struct are
invalid, out of bounds issue could happen.
This patch validate data_offset and data_length field in recv_done.

Cc: stable@vger.kernel.org
Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct")
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reported-by: Luigino Camastra, Aisle Research <luigino.camastra@aisle.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index cc4322bfa1d611e231901831b3e773f9c6ad7d0b..d52f3757827631ae3c06daf51b7fdbc853cacc14 100644 (file)
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
        case SMB_DIRECT_MSG_DATA_TRANSFER: {
                struct smb_direct_data_transfer *data_transfer =
                        (struct smb_direct_data_transfer *)recvmsg->packet;
-               unsigned int data_length;
+               unsigned int data_offset, data_length;
                int avail_recvmsg_count, receive_credits;
 
                if (wc->byte_len <
@@ -565,14 +565,15 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
                }
 
                data_length = le32_to_cpu(data_transfer->data_length);
-               if (data_length) {
-                       if (wc->byte_len < sizeof(struct smb_direct_data_transfer) +
-                           (u64)data_length) {
-                               put_recvmsg(t, recvmsg);
-                               smb_direct_disconnect_rdma_connection(t);
-                               return;
-                       }
+               data_offset = le32_to_cpu(data_transfer->data_offset);
+               if (wc->byte_len < data_offset ||
+                   wc->byte_len < (u64)data_offset + data_length) {
+                       put_recvmsg(t, recvmsg);
+                       smb_direct_disconnect_rdma_connection(t);
+                       return;
+               }
 
+               if (data_length) {
                        if (t->full_packet_received)
                                recvmsg->first_segment = true;