From 468d55b130df66b314b7f211b485b5cb75f1b9c5 Mon Sep 17 00:00:00 2001
From: Namjae Jeon <linkinjeon@kernel.org>
Date: Tue, 24 Jan 2023 00:40:05 +0900
Subject: [PATCH] ksmbd: limit pdu length size according to connection status

Stream protocol length will never be larger than 16KB until session setup.
After session setup, the size of requests will not be larger than
16KB + SMB2 MAX WRITE size. This patch limits these invalidly oversized
requests and closes the connection immediately.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
---
 connection.c | 19 ++++++++++++++++---
 smb2pdu.h    |  5 +++--
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/connection.c b/connection.c
index 3d330b910..5962bbddf 100644
--- a/connection.c
+++ b/connection.c
@@ -300,7 +300,7 @@ int ksmbd_conn_handler_loop(void *p)
 {
 	struct ksmbd_conn *conn = (struct ksmbd_conn *)p;
 	struct ksmbd_transport *t = conn->transport;
-	unsigned int pdu_size;
+	unsigned int pdu_size, max_allowed_pdu_size;
 	char hdr_buf[4] = {0,};
 	int size;
 
@@ -329,11 +329,24 @@ int ksmbd_conn_handler_loop(void *p)
 		if (!ksmbd_pdu_size_has_room(pdu_size)) {
 			ksmbd_debug(CONN, "SMB request too short (%u bytes)\n",
 				    pdu_size);
-			continue;
+			break;
+		}
+
+		if (conn->status == KSMBD_SESS_GOOD)
+			max_allowed_pdu_size =
+				SMB3_MAX_MSGSIZE + conn->vals->max_write_size;
+		else
+			max_allowed_pdu_size = SMB3_MAX_MSGSIZE;
+
+		if (pdu_size > max_allowed_pdu_size) {
+			pr_err_ratelimited("PDU length(%u) excceed maximum allowed pdu size(%u) on connection(%d)\n",
+					pdu_size, max_allowed_pdu_size,
+					conn->status);
+			break;
 		}
 
 		if (pdu_size > MAX_STREAM_PROT_LEN)
-                        continue;
+			break;
 
 		/* 4 for rfc1002 length field */
 		size = pdu_size + 4;
diff --git a/smb2pdu.h b/smb2pdu.h
index ee649d139..7a380d1ee 100644
--- a/smb2pdu.h
+++ b/smb2pdu.h
@@ -113,8 +113,9 @@
 #define SMB21_DEFAULT_IOSIZE	(1024 * 1024)
 #define SMB3_DEFAULT_IOSIZE	(4 * 1024 * 1024)
 #define SMB3_DEFAULT_TRANS_SIZE	(1024 * 1024)
-#define SMB3_MIN_IOSIZE	(64 * 1024)
-#define SMB3_MAX_IOSIZE	(8 * 1024 * 1024)
+#define SMB3_MIN_IOSIZE		(64 * 1024)
+#define SMB3_MAX_IOSIZE		(8 * 1024 * 1024)
+#define SMB3_MAX_MSGSIZE	(4 * 4096)
 
 /*
  * SMB2 Header Definition