1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2016 Namjae Jeon <linkinjeon@kernel.org> 4 * Copyright (C) 2018 Samsung Electronics Co., Ltd. 5 */ 6 7 #include "glob.h" 8 #include "smb_common.h" 9 #include "../common/smb2status.h" 10 #include "mgmt/user_session.h" 11 #include "connection.h" 12 13 static int check_smb2_hdr(struct smb2_hdr *hdr) 14 { 15 /* 16 * Make sure that this really is an SMB, that it is a response. 17 */ 18 if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR) 19 return 1; 20 return 0; 21 } 22 23 /* 24 * The following table defines the expected "StructureSize" of SMB2 requests 25 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS requests. 26 * 27 * Note that commands are defined in smb2pdu.h in le16 but the array below is 28 * indexed by command in host byte order 29 */ 30 static const __le16 smb2_req_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { 31 /* SMB2_NEGOTIATE */ cpu_to_le16(36), 32 /* SMB2_SESSION_SETUP */ cpu_to_le16(25), 33 /* SMB2_LOGOFF */ cpu_to_le16(4), 34 /* SMB2_TREE_CONNECT */ cpu_to_le16(9), 35 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4), 36 /* SMB2_CREATE */ cpu_to_le16(57), 37 /* SMB2_CLOSE */ cpu_to_le16(24), 38 /* SMB2_FLUSH */ cpu_to_le16(24), 39 /* SMB2_READ */ cpu_to_le16(49), 40 /* SMB2_WRITE */ cpu_to_le16(49), 41 /* SMB2_LOCK */ cpu_to_le16(48), 42 /* SMB2_IOCTL */ cpu_to_le16(57), 43 /* SMB2_CANCEL */ cpu_to_le16(4), 44 /* SMB2_ECHO */ cpu_to_le16(4), 45 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(33), 46 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(32), 47 /* SMB2_QUERY_INFO */ cpu_to_le16(41), 48 /* SMB2_SET_INFO */ cpu_to_le16(33), 49 /* use 44 for lease break */ 50 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(36) 51 }; 52 53 /* 54 * The size of the variable area depends on the offset and length fields 55 * located in different fields for various SMB2 requests. SMB2 requests 56 * with no variable length info, show an offset of zero for the offset field. 57 */ 58 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { 59 /* SMB2_NEGOTIATE */ true, 60 /* SMB2_SESSION_SETUP */ true, 61 /* SMB2_LOGOFF */ false, 62 /* SMB2_TREE_CONNECT */ true, 63 /* SMB2_TREE_DISCONNECT */ false, 64 /* SMB2_CREATE */ true, 65 /* SMB2_CLOSE */ false, 66 /* SMB2_FLUSH */ false, 67 /* SMB2_READ */ true, 68 /* SMB2_WRITE */ true, 69 /* SMB2_LOCK */ true, 70 /* SMB2_IOCTL */ true, 71 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */ 72 /* SMB2_ECHO */ false, 73 /* SMB2_QUERY_DIRECTORY */ true, 74 /* SMB2_CHANGE_NOTIFY */ false, 75 /* SMB2_QUERY_INFO */ true, 76 /* SMB2_SET_INFO */ true, 77 /* SMB2_OPLOCK_BREAK */ false 78 }; 79 80 /* 81 * Set length of the data area and the offset to arguments. 82 * if they are invalid, return error. 83 */ 84 static int smb2_get_data_area_len(unsigned int *off, unsigned int *len, 85 struct smb2_hdr *hdr) 86 { 87 int ret = 0; 88 89 *off = 0; 90 *len = 0; 91 92 /* 93 * Following commands have data areas so we have to get the location 94 * of the data buffer offset and data buffer length for the particular 95 * command. 96 */ 97 switch (hdr->Command) { 98 case SMB2_SESSION_SETUP: 99 *off = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferOffset); 100 *len = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength); 101 break; 102 case SMB2_TREE_CONNECT: 103 *off = max_t(unsigned short int, 104 le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathOffset), 105 offsetof(struct smb2_tree_connect_req, Buffer)); 106 *len = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathLength); 107 break; 108 case SMB2_CREATE: 109 { 110 unsigned short int name_off = 111 max_t(unsigned short int, 112 le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset), 113 offsetof(struct smb2_create_req, Buffer)); 114 unsigned short int name_len = 115 le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength); 116 117 if (((struct smb2_create_req *)hdr)->CreateContextsLength) { 118 *off = le32_to_cpu(((struct smb2_create_req *) 119 hdr)->CreateContextsOffset); 120 *len = le32_to_cpu(((struct smb2_create_req *) 121 hdr)->CreateContextsLength); 122 if (!name_len) 123 break; 124 125 if (name_off + name_len < (u64)*off + *len) 126 break; 127 } 128 129 *off = name_off; 130 *len = name_len; 131 break; 132 } 133 case SMB2_QUERY_INFO: 134 *off = max_t(unsigned int, 135 le16_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferOffset), 136 offsetof(struct smb2_query_info_req, Buffer)); 137 *len = le32_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferLength); 138 break; 139 case SMB2_SET_INFO: 140 *off = max_t(unsigned int, 141 le16_to_cpu(((struct smb2_set_info_req *)hdr)->BufferOffset), 142 offsetof(struct smb2_set_info_req, Buffer)); 143 *len = le32_to_cpu(((struct smb2_set_info_req *)hdr)->BufferLength); 144 break; 145 case SMB2_READ: 146 *off = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoOffset); 147 *len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength); 148 break; 149 case SMB2_WRITE: 150 if (((struct smb2_write_req *)hdr)->DataOffset || 151 ((struct smb2_write_req *)hdr)->Length) { 152 *off = max_t(unsigned short int, 153 le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset), 154 offsetof(struct smb2_write_req, Buffer)); 155 *len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length); 156 break; 157 } 158 159 *off = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoOffset); 160 *len = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoLength); 161 break; 162 case SMB2_QUERY_DIRECTORY: 163 *off = max_t(unsigned short int, 164 le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameOffset), 165 offsetof(struct smb2_query_directory_req, Buffer)); 166 *len = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameLength); 167 break; 168 case SMB2_LOCK: 169 { 170 unsigned short lock_count; 171 172 lock_count = le16_to_cpu(((struct smb2_lock_req *)hdr)->LockCount); 173 if (lock_count > 0) { 174 *off = offsetof(struct smb2_lock_req, locks); 175 *len = sizeof(struct smb2_lock_element) * lock_count; 176 } 177 break; 178 } 179 case SMB2_IOCTL: 180 *off = max_t(unsigned int, 181 le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset), 182 offsetof(struct smb2_ioctl_req, Buffer)); 183 *len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount); 184 break; 185 default: 186 ksmbd_debug(SMB, "no length check for command\n"); 187 break; 188 } 189 190 if (*off > 4096) { 191 ksmbd_debug(SMB, "offset %d too large\n", *off); 192 ret = -EINVAL; 193 } else if ((u64)*off + *len > MAX_STREAM_PROT_LEN) { 194 ksmbd_debug(SMB, "Request is larger than maximum stream protocol length(%u): %llu\n", 195 MAX_STREAM_PROT_LEN, (u64)*off + *len); 196 ret = -EINVAL; 197 } 198 199 return ret; 200 } 201 202 /* 203 * Calculate the size of the SMB message based on the fixed header 204 * portion, the number of word parameters and the data portion of the message. 205 */ 206 static int smb2_calc_size(void *buf, unsigned int *len) 207 { 208 struct smb2_pdu *pdu = (struct smb2_pdu *)buf; 209 struct smb2_hdr *hdr = &pdu->hdr; 210 unsigned int offset; /* the offset from the beginning of SMB to data area */ 211 unsigned int data_length; /* the length of the variable length data area */ 212 int ret; 213 214 /* Structure Size has already been checked to make sure it is 64 */ 215 *len = le16_to_cpu(hdr->StructureSize); 216 217 /* 218 * StructureSize2, ie length of fixed parameter area has already 219 * been checked to make sure it is the correct length. 220 */ 221 *len += le16_to_cpu(pdu->StructureSize2); 222 /* 223 * StructureSize2 of smb2_lock pdu is set to 48, indicating 224 * the size of smb2 lock request with single smb2_lock_element 225 * regardless of number of locks. Subtract single 226 * smb2_lock_element for correct buffer size check. 227 */ 228 if (hdr->Command == SMB2_LOCK) 229 *len -= sizeof(struct smb2_lock_element); 230 231 if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false) 232 goto calc_size_exit; 233 234 ret = smb2_get_data_area_len(&offset, &data_length, hdr); 235 if (ret) 236 return ret; 237 ksmbd_debug(SMB, "SMB2 data length %u offset %u\n", data_length, 238 offset); 239 240 if (data_length > 0) { 241 /* 242 * Check to make sure that data area begins after fixed area, 243 * Note that last byte of the fixed area is part of data area 244 * for some commands, typically those with odd StructureSize, 245 * so we must add one to the calculation. 246 */ 247 if (offset + 1 < *len) { 248 ksmbd_debug(SMB, 249 "data area offset %d overlaps SMB2 header %u\n", 250 offset + 1, *len); 251 return -EINVAL; 252 } 253 254 *len = offset + data_length; 255 } 256 257 calc_size_exit: 258 ksmbd_debug(SMB, "SMB2 len %u\n", *len); 259 return 0; 260 } 261 262 static inline int smb2_query_info_req_len(struct smb2_query_info_req *h) 263 { 264 return le32_to_cpu(h->InputBufferLength) + 265 le32_to_cpu(h->OutputBufferLength); 266 } 267 268 static inline int smb2_set_info_req_len(struct smb2_set_info_req *h) 269 { 270 return le32_to_cpu(h->BufferLength); 271 } 272 273 static inline int smb2_read_req_len(struct smb2_read_req *h) 274 { 275 return le32_to_cpu(h->Length); 276 } 277 278 static inline int smb2_write_req_len(struct smb2_write_req *h) 279 { 280 return le32_to_cpu(h->Length); 281 } 282 283 static inline int smb2_query_dir_req_len(struct smb2_query_directory_req *h) 284 { 285 return le32_to_cpu(h->OutputBufferLength); 286 } 287 288 static inline int smb2_ioctl_req_len(struct smb2_ioctl_req *h) 289 { 290 return le32_to_cpu(h->InputCount) + 291 le32_to_cpu(h->OutputCount); 292 } 293 294 static inline int smb2_ioctl_resp_len(struct smb2_ioctl_req *h) 295 { 296 return le32_to_cpu(h->MaxInputResponse) + 297 le32_to_cpu(h->MaxOutputResponse); 298 } 299 300 static int smb2_validate_credit_charge(struct ksmbd_conn *conn, 301 struct smb2_hdr *hdr) 302 { 303 unsigned int req_len = 0, expect_resp_len = 0, calc_credit_num, max_len; 304 unsigned short credit_charge = le16_to_cpu(hdr->CreditCharge); 305 void *__hdr = hdr; 306 int ret = 0; 307 308 switch (hdr->Command) { 309 case SMB2_QUERY_INFO: 310 req_len = smb2_query_info_req_len(__hdr); 311 break; 312 case SMB2_SET_INFO: 313 req_len = smb2_set_info_req_len(__hdr); 314 break; 315 case SMB2_READ: 316 req_len = smb2_read_req_len(__hdr); 317 break; 318 case SMB2_WRITE: 319 req_len = smb2_write_req_len(__hdr); 320 break; 321 case SMB2_QUERY_DIRECTORY: 322 req_len = smb2_query_dir_req_len(__hdr); 323 break; 324 case SMB2_IOCTL: 325 req_len = smb2_ioctl_req_len(__hdr); 326 expect_resp_len = smb2_ioctl_resp_len(__hdr); 327 break; 328 case SMB2_CANCEL: 329 return 0; 330 default: 331 req_len = 1; 332 break; 333 } 334 335 credit_charge = max_t(unsigned short, credit_charge, 1); 336 max_len = max_t(unsigned int, req_len, expect_resp_len); 337 calc_credit_num = DIV_ROUND_UP(max_len, SMB2_MAX_BUFFER_SIZE); 338 339 if (credit_charge < calc_credit_num) { 340 ksmbd_debug(SMB, "Insufficient credit charge, given: %d, needed: %d\n", 341 credit_charge, calc_credit_num); 342 return 1; 343 } else if (credit_charge > conn->vals->max_credits) { 344 ksmbd_debug(SMB, "Too large credit charge: %d\n", credit_charge); 345 return 1; 346 } 347 348 spin_lock(&conn->credits_lock); 349 if (credit_charge > conn->total_credits) { 350 ksmbd_debug(SMB, "Insufficient credits granted, given: %u, granted: %u\n", 351 credit_charge, conn->total_credits); 352 ret = 1; 353 } 354 355 if ((u64)conn->outstanding_credits + credit_charge > conn->total_credits) { 356 ksmbd_debug(SMB, "Limits exceeding the maximum allowable outstanding requests, given : %u, pending : %u\n", 357 credit_charge, conn->outstanding_credits); 358 ret = 1; 359 } else 360 conn->outstanding_credits += credit_charge; 361 362 spin_unlock(&conn->credits_lock); 363 364 return ret; 365 } 366 367 int ksmbd_smb2_check_message(struct ksmbd_work *work) 368 { 369 struct smb2_pdu *pdu = ksmbd_req_buf_next(work); 370 struct smb2_hdr *hdr = &pdu->hdr; 371 int command; 372 __u32 clc_len; /* calculated length */ 373 __u32 len = get_rfc1002_len(work->request_buf); 374 __u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand); 375 376 if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) { 377 pr_err("next command(%u) offset exceeds smb msg size\n", 378 next_cmd); 379 return 1; 380 } 381 382 if (next_cmd > 0) 383 len = next_cmd; 384 else if (work->next_smb2_rcv_hdr_off) 385 len -= work->next_smb2_rcv_hdr_off; 386 387 if (check_smb2_hdr(hdr)) 388 return 1; 389 390 if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) { 391 ksmbd_debug(SMB, "Illegal structure size %u\n", 392 le16_to_cpu(hdr->StructureSize)); 393 return 1; 394 } 395 396 command = le16_to_cpu(hdr->Command); 397 if (command >= NUMBER_OF_SMB2_COMMANDS) { 398 ksmbd_debug(SMB, "Illegal SMB2 command %d\n", command); 399 return 1; 400 } 401 402 if (smb2_req_struct_sizes[command] != pdu->StructureSize2) { 403 if (!(command == SMB2_OPLOCK_BREAK_HE && 404 (le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_20 || 405 le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_21))) { 406 /* special case for SMB2.1 lease break message */ 407 ksmbd_debug(SMB, 408 "Illegal request size %u for command %d\n", 409 le16_to_cpu(pdu->StructureSize2), command); 410 return 1; 411 } 412 } 413 414 req_struct_size = le16_to_cpu(pdu->StructureSize2) + 415 __SMB2_HEADER_STRUCTURE_SIZE; 416 if (command == SMB2_LOCK_HE) 417 req_struct_size -= sizeof(struct smb2_lock_element); 418 419 if (req_struct_size > len + 1) 420 return 1; 421 422 if (smb2_calc_size(hdr, &clc_len)) 423 return 1; 424 425 if (len != clc_len) { 426 /* client can return one byte more due to implied bcc[0] */ 427 if (clc_len == len + 1) 428 goto validate_credit; 429 430 /* 431 * Some windows servers (win2016) will pad also the final 432 * PDU in a compound to 8 bytes. 433 */ 434 if (ALIGN(clc_len, 8) == len) 435 goto validate_credit; 436 437 /* 438 * SMB2 NEGOTIATE request will be validated when message 439 * handling proceeds. 440 */ 441 if (command == SMB2_NEGOTIATE_HE) 442 goto validate_credit; 443 444 /* 445 * Allow a message that padded to 8byte boundary. 446 * Linux 4.19.217 with smb 3.0.2 are sometimes 447 * sending messages where the cls_len is exactly 448 * 8 bytes less than len. 449 */ 450 if (clc_len < len && (len - clc_len) <= 8) 451 goto validate_credit; 452 453 pr_err_ratelimited( 454 "cli req too short, len %d not %d. cmd:%d mid:%llu\n", 455 len, clc_len, command, 456 le64_to_cpu(hdr->MessageId)); 457 458 return 1; 459 } 460 461 validate_credit: 462 if ((work->conn->vals->req_capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) && 463 smb2_validate_credit_charge(work->conn, hdr)) 464 return 1; 465 466 return 0; 467 } 468 469 int smb2_negotiate_request(struct ksmbd_work *work) 470 { 471 return ksmbd_smb_negotiate_common(work, SMB2_NEGOTIATE_HE); 472 } 473