ksmbd: smb1: add buffer validation

Many functions assume the client sends well formed packets, or are
optimistic about the buffer length (using PATH_MAX or a fixed '256'
value) instead of the actual length.

The pattern followed to fix this boils down to extracting the total
buffer length and calculate how much data has been consumed.

Signed-off-by: Marios Makassikis <[email protected]>

Author: Marios Makassikis

auth.c

@@ -330,16 +330,23 @@ static int calc_ntlmv2_hash(struct ksmbd_session *sess, char *ntlmv2_hash,
  * ksmbd_auth_ntlm() - NTLM authentication handler
  * @sess:	session of connection
  * @pw_buf:	NTLM challenge response
- * @passkey:	user password
+ * @pw_len:	buffer length
+ * @cryptkey:	buffer length
  *
  * Return:	0 on success, error number on error
  */
-int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf, char *cryptkey)
+int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf, size_t pw_len,
+		    char *cryptkey)
 {
 	int rc;
 	unsigned char p21[21];
 	char key[CIFS_AUTH_RESP_SIZE];
 
+	if (pw_len < CIFS_AUTH_RESP_SIZE) {
+		ksmbd_debug(AUTH, "short response\n");
+		return -EINVAL;
+	}
+
 	memset(p21, '\0', 21);
 	memcpy(p21, user_passkey(sess->user), CIFS_NTHASH_SIZE);
 	rc = ksmbd_enc_p24(p21, cryptkey, key);
@@ -601,7 +608,7 @@ int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,
 						   conn->ntlmssp.cryptkey);
 		else
 			return ksmbd_auth_ntlm(sess, (char *)authblob +
-				nt_off, conn->ntlmssp.cryptkey);
+				nt_off, nt_len, conn->ntlmssp.cryptkey);
 	}
 #endif
 

auth.h

@@ -38,7 +38,8 @@ struct kvec;
 int ksmbd_crypt_message(struct ksmbd_conn *conn, struct kvec *iov,
 			unsigned int nvec, int enc);
 void ksmbd_copy_gss_neg_header(void *buf);
-int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf, char *cryptkey);
+int ksmbd_auth_ntlm(struct ksmbd_session *sess, char *pw_buf, size_t pw_len,
+		    char *cryptkey);
 int ksmbd_auth_ntlmv2(struct ksmbd_session *sess, struct ntlmv2_resp *ntlmv2,
 		      int blen, char *domain_name, char *cryptkey);
 int ksmbd_decode_ntlmssp_auth_blob(struct authenticate_message *authblob,