ksmbd: check iov vector index in ksmbd_conn_write()

If ->iov_idx is zero, This means that the iov vector for the response was not added during the request process. In other words, it means that there is a problem in generating a response, So this patch dump the command information in the request and returned as an error to avoid NULL pointer dereferencing problem. Signed-off-by: Namjae Jeon <[email protected]>
cifsd-team · Sep 20, 2023 · 63eebf4 · 63eebf4
1 parent fc7fb83
commit 63eebf4
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/connection.c b/connection.c
@@ -17,6 +17,7 @@
 #include "connection.h"
 #include "transport_tcp.h"
 #include "transport_rdma.h"
+#include "misc.h"
 
 static DEFINE_MUTEX(init_lock);
 
@@ -248,6 +249,11 @@ int ksmbd_conn_write(struct ksmbd_work *work)
 		ksmbd_conn_unlock(conn);
 	}
 #else
+	if (!work->iov_idx) {
+		ksmbd_dump_commands(work);
+		return -EINVAL;
+	}
+
 	ksmbd_conn_lock(conn);
 	sent = conn->transport->ops->writev(conn->transport, work->iov,
 			work->iov_cnt,

diff --git a/misc.c b/misc.c
@@ -486,3 +486,18 @@ inline long long ksmbd_systime(void)
 	ktime_get_real_ts64(&ts);
 	return ksmbd_UnixTimeToNT(ts);
 }
+
+void ksmbd_dump_commands(struct ksmbd_work *work)
+{
+	char *buf = (char *)work->request_buf + 4;
+	struct smb2_hdr *hdr;
+
+	pr_err("Dump commands in request\n");
+	do {
+		hdr = (struct smb2_hdr *)buf;
+		pr_err("Command : 0x%x, Next offset : %u\n",
+		       le16_to_cpu(hdr->Command),
+		       le32_to_cpu(hdr->NextCommand));
+		buf += le32_to_cpu(hdr->NextCommand);
+	} while (hdr->NextCommand);
+}
diff --git a/misc.h b/misc.h
@@ -10,6 +10,7 @@ struct ksmbd_share_config;
 struct nls_table;
 struct kstat;
 struct ksmbd_file;
+struct ksmbd_work;
 
 int match_pattern(const char *str, size_t len, const char *pattern);
 int ksmbd_validate_filename(char *filename);
@@ -23,6 +24,7 @@ void ksmbd_conv_path_to_windows(char *path);
 char *ksmbd_casefold_sharename(struct unicode_map *um, const char *name);
 char *ksmbd_extract_sharename(struct unicode_map *um, const char *treename);
 char *convert_to_unix_name(struct ksmbd_share_config *share, const char *name);
+void ksmbd_dump_commands(struct ksmbd_work *work);
 
 #define KSMBD_DIR_INFO_ALIGNMENT	8
 struct ksmbd_dir_info;