do not treat non-symlink reparse points as valid symlinks

Windows 8 and later can create NFS symlinks (within reparse points) which we were assuming were normal NTFS symlinks and thus reporting corrupt paths for. Add check for reparse points to make sure that they really are normal symlinks before we try to parse the pathname. We also should not be parsing other types of reparse points (DFS junctions etc) as if they were a symlink so return EOPNOTSUPP on those. Also fix endian errors (we were not parsing symlink lengths as little endian). This fixes commit d244bf2dfbebfded05f494ffd53659fa7b1e32c1 which implemented follow link for non-Unix CIFS mounts CC: Stable <stable@kernel.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Steve French <smfrench@gmail.com>
author: Steve French <smfrench@us.ibm.com> 2013-09-28 19:24:12 -0400
committer: Steve French <smfrench@gmail.com> 2013-10-05 22:54:18 -0400
commit: c31f330719b7331b2112a5525fe5941a99ac223d (patch)
tree: 14e6f0534e820bc30f4fb7e2e876daf072edb0de /fs
parent: e62063d69911886a5a92c719d262a2a87e1e5b60 (diff)
3 files changed, 71 insertions, 14 deletions
diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h
index a630475e421c..08f9dfb1a894 100644
--- a/fs/cifs/cifspdu.h
+++ b/fs/cifs/cifspdu.h
@@ -1491,15 +1491,30 @@ struct file_notify_information {
        __u8  FileName[0];
 } __attribute__((packed));
-struct reparse_data {
+/* For IO_REPARSE_TAG_SYMLINK */
-        __u32   ReparseTag;
+struct reparse_symlink_data {
-        __u16   ReparseDataLength;
+        __le32  ReparseTag;
+        __le16  ReparseDataLength;
        __u16   Reserved;
-        __u16   SubstituteNameOffset;
+        __le16  SubstituteNameOffset;
-        __u16   SubstituteNameLength;
+        __le16  SubstituteNameLength;
-        __u16   PrintNameOffset;
+        __le16  PrintNameOffset;
-        __u16   PrintNameLength;
+        __le16  PrintNameLength;
-        __u32   Flags;
+        __le32  Flags;
+        char    PathBuffer[0];
+} __attribute__((packed));
+/* For IO_REPARSE_TAG_NFS */
+#define NFS_SPECFILE_LNK        0x00000000014B4E4C
+#define NFS_SPECFILE_CHR        0x0000000000524843
+#define NFS_SPECFILE_BLK        0x00000000004B4C42
+#define NFS_SPECFILE_FIFO       0x000000004F464946
+#define NFS_SPECFILE_SOCK       0x000000004B434F53
+struct reparse_posix_data {
+        __le32  ReparseTag;
+        __le16  ReparseDataLength;
+        __u16   Reserved;
+        __le64  InodeType; /* LNK, FIFO, CHR etc. */
        char    PathBuffer[0];
 } __attribute__((packed));
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 4baf35949b51..ccd31ab815d4 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -3088,7 +3088,8 @@ CIFSSMBQuerySymLink(const unsigned int xid, struct cifs_tcon *tcon,
        bool is_unicode;
        unsigned int sub_len;
        char *sub_start;
-        struct reparse_data *reparse_buf;
+        struct reparse_symlink_data *reparse_buf;
+        struct reparse_posix_data *posix_buf;
        __u32 data_offset, data_count;
        char *end_of_smb;
@@ -3137,20 +3138,47 @@ CIFSSMBQuerySymLink(const unsigned int xid, struct cifs_tcon *tcon,
                goto qreparse_out;
        }
        end_of_smb = 2 + get_bcc(&pSMBr->hdr) + (char *)&pSMBr->ByteCount;
-        reparse_buf = (struct reparse_data *)
+        reparse_buf = (struct reparse_symlink_data *)
                                ((char *)&pSMBr->hdr.Protocol + data_offset);
        if ((char *)reparse_buf >= end_of_smb) {
                rc = -EIO;
                goto qreparse_out;
        }
-        if ((reparse_buf->PathBuffer + reparse_buf->PrintNameOffset +
+        if (reparse_buf->ReparseTag == cpu_to_le32(IO_REPARSE_TAG_NFS)) {
-                                reparse_buf->PrintNameLength) > end_of_smb) {
+                cifs_dbg(FYI, "NFS style reparse tag\n");
+                posix_buf =  (struct reparse_posix_data *)reparse_buf;
+                if (posix_buf->InodeType != cpu_to_le64(NFS_SPECFILE_LNK)) {
+                        cifs_dbg(FYI, "unsupported file type 0x%llx\n",
+                                 le64_to_cpu(posix_buf->InodeType));
+                        rc = -EOPNOTSUPP;
+                        goto qreparse_out;
+                }
+                is_unicode = true;
+                sub_len = le16_to_cpu(reparse_buf->ReparseDataLength);
+                if (posix_buf->PathBuffer + sub_len > end_of_smb) {
+                        cifs_dbg(FYI, "reparse buf beyond SMB\n");
+                        rc = -EIO;
+                        goto qreparse_out;
+                }
+                *symlinkinfo = cifs_strndup_from_utf16(posix_buf->PathBuffer,
+                                sub_len, is_unicode, nls_codepage);
+                goto qreparse_out;
+        } else if (reparse_buf->ReparseTag !=
+                        cpu_to_le32(IO_REPARSE_TAG_SYMLINK)) {
+                rc = -EOPNOTSUPP;
+                goto qreparse_out;
+        }
+        /* Reparse tag is NTFS symlink */
+        sub_start = le16_to_cpu(reparse_buf->SubstituteNameOffset) +
+                                reparse_buf->PathBuffer;
+        sub_len = le16_to_cpu(reparse_buf->SubstituteNameLength);
+        if (sub_start + sub_len > end_of_smb) {
                cifs_dbg(FYI, "reparse buf beyond SMB\n");
                rc = -EIO;
                goto qreparse_out;
        }
-        sub_start = reparse_buf->SubstituteNameOffset + reparse_buf->PathBuffer;
-        sub_len = reparse_buf->SubstituteNameLength;
        if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
                is_unicode = true;
        else
diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h
index d952ee48f4dc..a4b2391fe66e 100644
--- a/fs/cifs/smbfsctl.h
+++ b/fs/cifs/smbfsctl.h
@@ -97,9 +97,23 @@
 #define FSCTL_QUERY_NETWORK_INTERFACE_INFO 0x001401FC /* BB add struct */
 #define FSCTL_SRV_READ_HASH          0x001441BB /* BB add struct */
+/* See FSCC 2.1.2.5 */
 #define IO_REPARSE_TAG_MOUNT_POINT   0xA0000003
 #define IO_REPARSE_TAG_HSM           0xC0000004
 #define IO_REPARSE_TAG_SIS           0x80000007
+#define IO_REPARSE_TAG_HSM2          0x80000006
+#define IO_REPARSE_TAG_DRIVER_EXTENDER 0x80000005
+/* Used by the DFS filter. See MS-DFSC */
+#define IO_REPARSE_TAG_DFS           0x8000000A
+/* Used by the DFS filter See MS-DFSC */
+#define IO_REPARSE_TAG_DFSR          0x80000012
+#define IO_REPARSE_TAG_FILTER_MANAGER 0x8000000B
+/* See section MS-FSCC 2.1.2.4 */
+#define IO_REPARSE_TAG_SYMLINK       0xA000000C
+#define IO_REPARSE_TAG_DEDUP         0x80000013
+#define IO_REPARSE_APPXSTREAM        0xC0000014
+/* NFS symlinks, Win 8/SMB3 and later */
+#define IO_REPARSE_TAG_NFS           0x80000014
 /* fsctl flags */
 /* If Flags is set to this value, the request is an FSCTL not ioctl request */
author	Steve French <smfrench@us.ibm.com>	2013-09-28 19:24:12 -0400
committer	Steve French <smfrench@gmail.com>	2013-10-05 22:54:18 -0400
commit	c31f330719b7331b2112a5525fe5941a99ac223d (patch)
tree	14e6f0534e820bc30f4fb7e2e876daf072edb0de /fs
parent	e62063d69911886a5a92c719d262a2a87e1e5b60 (diff)

diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h index a630475e421c..08f9dfb1a894 100644 --- a/fs/cifs/cifspdu.h +++ b/fs/cifs/cifspdu.h
@@ -1491,15 +1491,30 @@ struct file_notify_information {
1491	__u8 FileName[0];	1491	__u8 FileName[0];
1492	} __attribute__((packed));	1492	} __attribute__((packed));
1493		1493
1494	struct reparse_data {	1494	/* For IO_REPARSE_TAG_SYMLINK */
1495	__u32 ReparseTag;	1495	struct reparse_symlink_data {
1496	__u16 ReparseDataLength;	1496	__le32 ReparseTag;
		1497	__le16 ReparseDataLength;
1497	__u16 Reserved;	1498	__u16 Reserved;
1498	__u16 SubstituteNameOffset;	1499	__le16 SubstituteNameOffset;
1499	__u16 SubstituteNameLength;	1500	__le16 SubstituteNameLength;
1500	__u16 PrintNameOffset;	1501	__le16 PrintNameOffset;
1501	__u16 PrintNameLength;	1502	__le16 PrintNameLength;
1502	__u32 Flags;	1503	__le32 Flags;
		1504	char PathBuffer[0];
		1505	} __attribute__((packed));
		1506
		1507	/* For IO_REPARSE_TAG_NFS */
		1508	#define NFS_SPECFILE_LNK 0x00000000014B4E4C
		1509	#define NFS_SPECFILE_CHR 0x0000000000524843
		1510	#define NFS_SPECFILE_BLK 0x00000000004B4C42
		1511	#define NFS_SPECFILE_FIFO 0x000000004F464946
		1512	#define NFS_SPECFILE_SOCK 0x000000004B434F53
		1513	struct reparse_posix_data {
		1514	__le32 ReparseTag;
		1515	__le16 ReparseDataLength;
		1516	__u16 Reserved;
		1517	__le64 InodeType; /* LNK, FIFO, CHR etc. */
1503	char PathBuffer[0];	1518	char PathBuffer[0];
1504	} __attribute__((packed));	1519	} __attribute__((packed));
1505		1520


diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 4baf35949b51..ccd31ab815d4 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -3088,7 +3088,8 @@ CIFSSMBQuerySymLink(const unsigned int xid, struct cifs_tcon *tcon,
3088	bool is_unicode;	3088	bool is_unicode;
3089	unsigned int sub_len;	3089	unsigned int sub_len;
3090	char *sub_start;	3090	char *sub_start;
3091	struct reparse_data *reparse_buf;	3091	struct reparse_symlink_data *reparse_buf;
		3092	struct reparse_posix_data *posix_buf;
3092	__u32 data_offset, data_count;	3093	__u32 data_offset, data_count;
3093	char *end_of_smb;	3094	char *end_of_smb;
3094		3095
@@ -3137,20 +3138,47 @@ CIFSSMBQuerySymLink(const unsigned int xid, struct cifs_tcon *tcon,
3137	goto qreparse_out;	3138	goto qreparse_out;
3138	}	3139	}
3139	end_of_smb = 2 + get_bcc(&pSMBr->hdr) + (char *)&pSMBr->ByteCount;	3140	end_of_smb = 2 + get_bcc(&pSMBr->hdr) + (char *)&pSMBr->ByteCount;
3140	reparse_buf = (struct reparse_data *)	3141	reparse_buf = (struct reparse_symlink_data *)
3141	((char *)&pSMBr->hdr.Protocol + data_offset);	3142	((char *)&pSMBr->hdr.Protocol + data_offset);
3142	if ((char *)reparse_buf >= end_of_smb) {	3143	if ((char *)reparse_buf >= end_of_smb) {
3143	rc = -EIO;	3144	rc = -EIO;
3144	goto qreparse_out;	3145	goto qreparse_out;
3145	}	3146	}
3146	if ((reparse_buf->PathBuffer + reparse_buf->PrintNameOffset +	3147	if (reparse_buf->ReparseTag == cpu_to_le32(IO_REPARSE_TAG_NFS)) {
3147	reparse_buf->PrintNameLength) > end_of_smb) {	3148	cifs_dbg(FYI, "NFS style reparse tag\n");
		3149	posix_buf = (struct reparse_posix_data *)reparse_buf;
		3150
		3151	if (posix_buf->InodeType != cpu_to_le64(NFS_SPECFILE_LNK)) {
		3152	cifs_dbg(FYI, "unsupported file type 0x%llx\n",
		3153	le64_to_cpu(posix_buf->InodeType));
		3154	rc = -EOPNOTSUPP;
		3155	goto qreparse_out;
		3156	}
		3157	is_unicode = true;
		3158	sub_len = le16_to_cpu(reparse_buf->ReparseDataLength);
		3159	if (posix_buf->PathBuffer + sub_len > end_of_smb) {
		3160	cifs_dbg(FYI, "reparse buf beyond SMB\n");
		3161	rc = -EIO;
		3162	goto qreparse_out;
		3163	}
		3164	*symlinkinfo = cifs_strndup_from_utf16(posix_buf->PathBuffer,
		3165	sub_len, is_unicode, nls_codepage);
		3166	goto qreparse_out;
		3167	} else if (reparse_buf->ReparseTag !=
		3168	cpu_to_le32(IO_REPARSE_TAG_SYMLINK)) {
		3169	rc = -EOPNOTSUPP;
		3170	goto qreparse_out;
		3171	}
		3172
		3173	/* Reparse tag is NTFS symlink */
		3174	sub_start = le16_to_cpu(reparse_buf->SubstituteNameOffset) +
		3175	reparse_buf->PathBuffer;
		3176	sub_len = le16_to_cpu(reparse_buf->SubstituteNameLength);
		3177	if (sub_start + sub_len > end_of_smb) {
3148	cifs_dbg(FYI, "reparse buf beyond SMB\n");	3178	cifs_dbg(FYI, "reparse buf beyond SMB\n");
3149	rc = -EIO;	3179	rc = -EIO;
3150	goto qreparse_out;	3180	goto qreparse_out;
3151	}	3181	}
3152	sub_start = reparse_buf->SubstituteNameOffset + reparse_buf->PathBuffer;
3153	sub_len = reparse_buf->SubstituteNameLength;
3154	if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)	3182	if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
3155	is_unicode = true;	3183	is_unicode = true;
3156	else	3184	else


diff --git a/fs/cifs/smbfsctl.h b/fs/cifs/smbfsctl.h index d952ee48f4dc..a4b2391fe66e 100644 --- a/fs/cifs/smbfsctl.h +++ b/fs/cifs/smbfsctl.h
@@ -97,9 +97,23 @@
97	#define FSCTL_QUERY_NETWORK_INTERFACE_INFO 0x001401FC /* BB add struct */	97	#define FSCTL_QUERY_NETWORK_INTERFACE_INFO 0x001401FC /* BB add struct */
98	#define FSCTL_SRV_READ_HASH 0x001441BB /* BB add struct */	98	#define FSCTL_SRV_READ_HASH 0x001441BB /* BB add struct */
99		99
		100	/* See FSCC 2.1.2.5 */
100	#define IO_REPARSE_TAG_MOUNT_POINT 0xA0000003	101	#define IO_REPARSE_TAG_MOUNT_POINT 0xA0000003
101	#define IO_REPARSE_TAG_HSM 0xC0000004	102	#define IO_REPARSE_TAG_HSM 0xC0000004
102	#define IO_REPARSE_TAG_SIS 0x80000007	103	#define IO_REPARSE_TAG_SIS 0x80000007
		104	#define IO_REPARSE_TAG_HSM2 0x80000006
		105	#define IO_REPARSE_TAG_DRIVER_EXTENDER 0x80000005
		106	/* Used by the DFS filter. See MS-DFSC */
		107	#define IO_REPARSE_TAG_DFS 0x8000000A
		108	/* Used by the DFS filter See MS-DFSC */
		109	#define IO_REPARSE_TAG_DFSR 0x80000012
		110	#define IO_REPARSE_TAG_FILTER_MANAGER 0x8000000B
		111	/* See section MS-FSCC 2.1.2.4 */
		112	#define IO_REPARSE_TAG_SYMLINK 0xA000000C
		113	#define IO_REPARSE_TAG_DEDUP 0x80000013
		114	#define IO_REPARSE_APPXSTREAM 0xC0000014
		115	/* NFS symlinks, Win 8/SMB3 and later */
		116	#define IO_REPARSE_TAG_NFS 0x80000014
103		117
104	/* fsctl flags */	118	/* fsctl flags */
105	/* If Flags is set to this value, the request is an FSCTL not ioctl request */	119	/* If Flags is set to this value, the request is an FSCTL not ioctl request */