1 files changed, 87 insertions, 5 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index d65270c290a1..2013234b73ad 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
        return rc;
 }
+int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+{
+        int rc = 0;
+        struct validate_negotiate_info_req vneg_inbuf;
+        struct validate_negotiate_info_rsp *pneg_rsp;
+        u32 rsplen;
+        cifs_dbg(FYI, "validate negotiate\n");
+        /*
+         * validation ioctl must be signed, so no point sending this if we
+         * can not sign it.  We could eventually change this to selectively
+         * sign just this, the first and only signed request on a connection.
+         * This is good enough for now since a user who wants better security
+         * would also enable signing on the mount. Having validation of
+         * negotiate info for signed connections helps reduce attack vectors
+         */
+        if (tcon->ses->server->sign == false)
+                return 0; /* validation requires signing */
+        vneg_inbuf.Capabilities =
+                        cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+        memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
+        if (tcon->ses->sign)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
+        else if (global_secflags & CIFSSEC_MAY_SIGN)
+                vneg_inbuf.SecurityMode =
+                        cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
+        else
+                vneg_inbuf.SecurityMode = 0;
+        vneg_inbuf.DialectCount = cpu_to_le16(1);
+        vneg_inbuf.Dialects[0] =
+                cpu_to_le16(tcon->ses->server->vals->protocol_id);
+        rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
+                FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
+                (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
+                (char **)&pneg_rsp, &rsplen);
+        if (rc != 0) {
+                cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
+                return -EIO;
+        }
+        if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
+                cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
+                return -EIO;
+        }
+        /* check validate negotiate info response matches what we got earlier */
+        if (pneg_rsp->Dialect !=
+                        cpu_to_le16(tcon->ses->server->vals->protocol_id))
+                goto vneg_out;
+        if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
+                goto vneg_out;
+        /* do not validate server guid because not saved at negprot time yet */
+        if ((le32_to_cpu(pneg_rsp->Capabilities) | SMB2_NT_FIND |
+              SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
+                goto vneg_out;
+        /* validate negotiate successful */
+        cifs_dbg(FYI, "validate negotiate info successful\n");
+        return 0;
+vneg_out:
+        cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
+        return -EIO;
+}
 int
 SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
                const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
            ((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
                cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
        init_copy_chunk_defaults(tcon);
+        if (tcon->ses->server->ops->validate_negotiate)
+                rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
 tcon_exit:
        free_rsp_buf(resp_buftype, rsp);
        kfree(unc_path);
@@ -1214,10 +1291,17 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
        rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
        rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
-        if (rc != 0) {
+        if ((rc != 0) && (rc != -EINVAL)) {
                if (tcon)
                        cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
                goto ioctl_exit;
+        } else if (rc == -EINVAL) {
+                if ((opcode != FSCTL_SRV_COPYCHUNK_WRITE) &&
+                    (opcode != FSCTL_SRV_COPYCHUNK)) {
+                        if (tcon)
+                                cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
+                        goto ioctl_exit;
+                }
        }
        /* check if caller wants to look at return data or just return rc */
@@ -2154,11 +2238,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
        rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);
        rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;
-        if (rc != 0) {
+        if (rc != 0)
                cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
-                goto out;
-        }
-out:
        free_rsp_buf(resp_buftype, rsp);
        kfree(iov);
        return rc;

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index d65270c290a1..2013234b73ad 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c
@@ -454,6 +454,81 @@ neg_exit:
454	return rc;	454	return rc;
455	}	455	}
456		456
		457	int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
		458	{
		459	int rc = 0;
		460	struct validate_negotiate_info_req vneg_inbuf;
		461	struct validate_negotiate_info_rsp *pneg_rsp;
		462	u32 rsplen;
		463
		464	cifs_dbg(FYI, "validate negotiate\n");
		465
		466	/*
		467	* validation ioctl must be signed, so no point sending this if we
		468	* can not sign it. We could eventually change this to selectively
		469	* sign just this, the first and only signed request on a connection.
		470	* This is good enough for now since a user who wants better security
		471	* would also enable signing on the mount. Having validation of
		472	* negotiate info for signed connections helps reduce attack vectors
		473	*/
		474	if (tcon->ses->server->sign == false)
		475	return 0; /* validation requires signing */
		476
		477	vneg_inbuf.Capabilities =
		478	cpu_to_le32(tcon->ses->server->vals->req_capabilities);
		479	memcpy(vneg_inbuf.Guid, cifs_client_guid, SMB2_CLIENT_GUID_SIZE);
		480
		481	if (tcon->ses->sign)
		482	vneg_inbuf.SecurityMode =
		483	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
		484	else if (global_secflags & CIFSSEC_MAY_SIGN)
		485	vneg_inbuf.SecurityMode =
		486	cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
		487	else
		488	vneg_inbuf.SecurityMode = 0;
		489
		490	vneg_inbuf.DialectCount = cpu_to_le16(1);
		491	vneg_inbuf.Dialects[0] =
		492	cpu_to_le16(tcon->ses->server->vals->protocol_id);
		493
		494	rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
		495	FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
		496	(char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
		497	(char **)&pneg_rsp, &rsplen);
		498
		499	if (rc != 0) {
		500	cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
		501	return -EIO;
		502	}
		503
		504	if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
		505	cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
		506	return -EIO;
		507	}
		508
		509	/* check validate negotiate info response matches what we got earlier */
		510	if (pneg_rsp->Dialect !=
		511	cpu_to_le16(tcon->ses->server->vals->protocol_id))
		512	goto vneg_out;
		513
		514	if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
		515	goto vneg_out;
		516
		517	/* do not validate server guid because not saved at negprot time yet */
		518
		519	if ((le32_to_cpu(pneg_rsp->Capabilities) \| SMB2_NT_FIND \|
		520	SMB2_LARGE_FILES) != tcon->ses->server->capabilities)
		521	goto vneg_out;
		522
		523	/* validate negotiate successful */
		524	cifs_dbg(FYI, "validate negotiate info successful\n");
		525	return 0;
		526
		527	vneg_out:
		528	cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
		529	return -EIO;
		530	}
		531
457	int	532	int
458	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,	533	SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
459	const struct nls_table *nls_cp)	534	const struct nls_table *nls_cp)
@@ -829,6 +904,8 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses ses, const char tree,
829	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))	904	((tcon->share_flags & SHI1005_FLAGS_DFS) == 0))
830	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");	905	cifs_dbg(VFS, "DFS capability contradicts DFS flag\n");
831	init_copy_chunk_defaults(tcon);	906	init_copy_chunk_defaults(tcon);
		907	if (tcon->ses->server->ops->validate_negotiate)
		908	rc = tcon->ses->server->ops->validate_negotiate(xid, tcon);
832	tcon_exit:	909	tcon_exit:
833	free_rsp_buf(resp_buftype, rsp);	910	free_rsp_buf(resp_buftype, rsp);
834	kfree(unc_path);	911	kfree(unc_path);
@@ -1214,10 +1291,17 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
1214	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);	1291	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
1215	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;	1292	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
1216		1293
1217	if (rc != 0) {	1294	if ((rc != 0) && (rc != -EINVAL)) {
1218	if (tcon)	1295	if (tcon)
1219	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);	1296	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
1220	goto ioctl_exit;	1297	goto ioctl_exit;
		1298	} else if (rc == -EINVAL) {
		1299	if ((opcode != FSCTL_SRV_COPYCHUNK_WRITE) &&
		1300	(opcode != FSCTL_SRV_COPYCHUNK)) {
		1301	if (tcon)
		1302	cifs_stats_fail_inc(tcon, SMB2_IOCTL_HE);
		1303	goto ioctl_exit;
		1304	}
1221	}	1305	}
1222		1306
1223	/* check if caller wants to look at return data or just return rc */	1307	/* check if caller wants to look at return data or just return rc */
@@ -2154,11 +2238,9 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon,
2154	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);	2238	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, 0);
2155	rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;	2239	rsp = (struct smb2_set_info_rsp *)iov[0].iov_base;
2156		2240
2157	if (rc != 0) {	2241	if (rc != 0)
2158	cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);	2242	cifs_stats_fail_inc(tcon, SMB2_SET_INFO_HE);
2159	goto out;	2243
2160	}
2161	out:
2162	free_rsp_buf(resp_buftype, rsp);	2244	free_rsp_buf(resp_buftype, rsp);
2163	kfree(iov);	2245	kfree(iov);
2164	return rc;	2246	return rc;