diff options
Diffstat (limited to 'fs/cifs/smb2pdu.c')
-rw-r--r-- | fs/cifs/smb2pdu.c | 92 |
1 files changed, 87 insertions, 5 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index d65270c290a1..2013234b73ad 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c | |||
@@ -454,6 +454,81 @@ neg_exit: | |||
454 | return rc; | 454 | return rc; |
455 | } | 455 | } |
456 | 456 | ||
457 | int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) | ||
458 | { | ||
459 | int rc = 0; | ||
460 | struct validate_negotiate_info_req vneg_inbuf; | ||
461 | struct validate_negotiate_info_rsp *pneg_rsp; | ||
462 | u32 rsplen; | ||
463 | |||
464 | cifs_dbg(FYI, "validate negotiate\n"); | ||
465 | |||
466 | /* | ||
467 | * validation ioctl must be signed, so no point sending this if we | ||
468 | * can not sign it. We could eventually change this to selectively | ||
469 | * sign just this, the first and only signed request on a connection. | ||
470 | * This is good enough for now since a user who wants better security | ||
471 | * would also enable signing on the mount. Having validation of | ||
472 | * negotiate info for signed connections helps reduce attack vectors | ||
473 | */ | ||
474 | if (tcon->ses->server->sign == false) | ||
475 | return 0; /* validation requires signing */ | ||
476 | |||
477 | vneg_inbuf.Capabilities = | ||
478 | cpu_to_le32(tcon->ses->server->vals->req_capabilities); | ||
479 | memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE); | ||
480 | |||
481 | if (tcon->ses->sign) | ||
482 | vneg_inbuf.SecurityMode = | ||
483 | cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); | ||
484 | else if (global_secflags & CIFSSEC_MAY_SIGN) | ||
485 | vneg_inbuf.SecurityMode = | ||
486 | cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); | ||
487 | else | ||
488 | vneg_inbuf.SecurityMode = 0; | ||
489 | |||
490 | vneg_inbuf.DialectCount = cpu_to_le16(1); | ||
491 | vneg_inbuf.Dialects[0] = | ||
492 | cpu_to_le16(tcon->ses->server->vals->protocol_id); | ||
493 | |||
494 | rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, | ||
495 | FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, | ||
496 | (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), | ||
497 | (char **)&pneg_rsp, &rsplen); | ||
498 | |||
499 | if (rc != 0) { | ||
500 | cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); | ||
501 | return -EIO; | ||
502 | } | ||
503 | |||
504 | if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { | ||
505 | cifs_dbg(VFS, "invalid size of protocol negotiate response\n"); | ||
506 | return -EIO; | ||
507 | } | ||
508 | |||
509 | /* check validate negotiate info response matches what we got earlier */ | ||
510 | if (pneg_rsp->Dialect != | ||
511 | cpu_to_le16(tcon->ses->server->vals->protocol_id)) | ||
512 | goto vneg_out; | ||
513 | |||
514 | if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode)) | ||
515 | goto vneg_out; | ||
516 | |||
517 | /* do not validate server guid because not saved at negprot time yet */ | ||
518 | |||
519 | if ((le32_to_cpu(pneg_rsp->Capabilities) | SMB2_NT_FIND | | ||
520 | SMB2_LARGE_FILES) != tcon->ses->server->capabilities) | ||
521 | goto vneg_out; | ||
522 | |||
523 | /* validate negotiate successful */ | ||
524 | cifs_dbg(FYI, "validate negotiate info successful\n"); | ||
525 | return 0; | ||
526 | |||
527 | vneg_out: | ||
528 | cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); | ||
529 | return -EIO; | ||
530 | } | ||
531 | |||
457 | int | 532 | int |
458 | SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, | 533 | SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses, |
459 | const struct nls_table *nls_cp) | 534 | const struct nls_table *nls_cp) |
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, | |||
829 | ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) | 904 | ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0)) |
830 | cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); | 905 | cifs_dbg(VFS, "DFS capability contradicts DFS flag\n"); |
831 | init_copy_chunk_defaults(tcon); | 906 | init_copy_chunk_defaults(tcon); |
907 | if (tcon->ses->server->ops->validate_negotiate) | ||
908 | rc = tcon->ses->server->ops->validate_negotiate(xid, tcon); | ||
832 | tcon_exit: | 909 | tcon_exit: |
833 | free_rsp_buf(resp_buftype, rsp); | 910 | free_rsp_buf(resp_buftype, rsp); |
834 | kfree(unc_path); | 911 | kfree(unc_path); |
@@ -1214,10 +1291,17 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, | |||
1214 | rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); | 1291 | rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); |
1215 | rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base; | 1292 | rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base; |
1216 | 1293 | ||
1217 | if (rc != 0) { | 1294 | if ((rc != 0) && (rc != -EINVAL)) { |
1218 | if (tcon) | 1295 | if (tcon) |
1219 | cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE); | 1296 | cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE); |
1220 | goto ioctl_exit; | 1297 | goto ioctl_exit; |
1298 | } else if (rc == -EINVAL) { | ||
1299 | if ((opcode != FSCTL_SRV_COPYCHUNK_WRITE) && | ||
1300 | (opcode != FSCTL_SRV_COPYCHUNK)) { | ||
1301 | if (tcon) | ||
1302 | cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE); | ||
1303 | goto ioctl_exit; | ||
1304 | } | ||
1221 | } | 1305 | } |
1222 | 1306 | ||
1223 | /* check if caller wants to look at return data or just return rc */ | 1307 | /* check if caller wants to look at return data or just return rc */ |
@@ -2154,11 +2238,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, | |||
2154 | rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0); | 2238 | rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0); |
2155 | rsp = (struct smb2_set_info_rsp *)iov[0].iov_base; | 2239 | rsp = (struct smb2_set_info_rsp *)iov[0].iov_base; |
2156 | 2240 | ||
2157 | if (rc != 0) { | 2241 | if (rc != 0) |
2158 | cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE); | 2242 | cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE); |
2159 | goto out; | 2243 | |
2160 | } | ||
2161 | out: | ||
2162 | free_rsp_buf(resp_buftype, rsp); | 2244 | free_rsp_buf(resp_buftype, rsp); |
2163 | kfree(iov); | 2245 | kfree(iov); |
2164 | return rc; | 2246 | return rc; |