1 // SPDX-License-Identifier: GPL-2.0-or-later
19 	if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)  in check_smb2_hdr()
55  * The size of the variable area depends on the offset and length fields
57  * with no variable length info, show an offset of zero for the offset field.
82  * Set length of the data area and the offset to arguments.
95 	 * of the data buffer offset and data buffer length for the particular  in smb2_get_data_area_len()
98 	switch (hdr->Command) {  in smb2_get_data_area_len()
100 		*off = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferOffset);  in smb2_get_data_area_len()
101 		*len = le16_to_cpu(((struct smb2_sess_setup_req *)hdr)->SecurityBufferLength);  in smb2_get_data_area_len()
104 		*off = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathOffset);  in smb2_get_data_area_len()
105 		*len = le16_to_cpu(((struct smb2_tree_connect_req *)hdr)->PathLength);  in smb2_get_data_area_len()
110 			le16_to_cpu(((struct smb2_create_req *)hdr)->NameOffset);  in smb2_get_data_area_len()
112 			le16_to_cpu(((struct smb2_create_req *)hdr)->NameLength);  in smb2_get_data_area_len()
114 		if (((struct smb2_create_req *)hdr)->CreateContextsLength) {  in smb2_get_data_area_len()
116 				hdr)->CreateContextsOffset);  in smb2_get_data_area_len()
118 				hdr)->CreateContextsLength);  in smb2_get_data_area_len()
131 		*off = le16_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferOffset);  in smb2_get_data_area_len()
132 		*len = le32_to_cpu(((struct smb2_query_info_req *)hdr)->InputBufferLength);  in smb2_get_data_area_len()
135 		*off = le16_to_cpu(((struct smb2_set_info_req *)hdr)->BufferOffset);  in smb2_get_data_area_len()
136 		*len = le32_to_cpu(((struct smb2_set_info_req *)hdr)->BufferLength);  in smb2_get_data_area_len()
139 		*off = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoOffset);  in smb2_get_data_area_len()
140 		*len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength);  in smb2_get_data_area_len()
143 		if (((struct smb2_write_req *)hdr)->DataOffset ||  in smb2_get_data_area_len()
144 		    ((struct smb2_write_req *)hdr)->Length) {  in smb2_get_data_area_len()
146 				     le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),  in smb2_get_data_area_len()
148 			*len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);  in smb2_get_data_area_len()
152 		*off = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoOffset);  in smb2_get_data_area_len()
153 		*len = le16_to_cpu(((struct smb2_write_req *)hdr)->WriteChannelInfoLength);  in smb2_get_data_area_len()
156 		*off = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameOffset);  in smb2_get_data_area_len()
157 		*len = le16_to_cpu(((struct smb2_query_directory_req *)hdr)->FileNameLength);  in smb2_get_data_area_len()
163 		lock_count = le16_to_cpu(((struct smb2_lock_req *)hdr)->LockCount);  in smb2_get_data_area_len()
171 		*off = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputOffset);  in smb2_get_data_area_len()
172 		*len = le32_to_cpu(((struct smb2_ioctl_req *)hdr)->InputCount);  in smb2_get_data_area_len()
175 		ksmbd_debug(SMB, "no length check for command\n");  in smb2_get_data_area_len()
181 		ret = -EINVAL;  in smb2_get_data_area_len()
183 		ksmbd_debug(SMB, "Request is larger than maximum stream protocol length(%u): %llu\n",  in smb2_get_data_area_len()
185 		ret = -EINVAL;  in smb2_get_data_area_len()
192  * Calculate the size of the SMB message based on the fixed header
198 	struct smb2_hdr *hdr = &pdu->hdr;  in smb2_calc_size()
200 	unsigned int data_length; /* the length of the variable length data area */  in smb2_calc_size()
204 	*len = le16_to_cpu(hdr->StructureSize);  in smb2_calc_size()
207 	 * StructureSize2, ie length of fixed parameter area has already  in smb2_calc_size()
208 	 * been checked to make sure it is the correct length.  in smb2_calc_size()
210 	*len += le16_to_cpu(pdu->StructureSize2);  in smb2_calc_size()
217 	if (hdr->Command == SMB2_LOCK)  in smb2_calc_size()
218 		*len -= sizeof(struct smb2_lock_element);  in smb2_calc_size()
220 	if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false)  in smb2_calc_size()
226 	ksmbd_debug(SMB, "SMB2 data length %u offset %u\n", data_length,  in smb2_calc_size()
231 		 * Check to make sure that data area begins after fixed area,  in smb2_calc_size()
232 		 * Note that last byte of the fixed area is part of data area  in smb2_calc_size()
240 			return -EINVAL;  in smb2_calc_size()
253 	return le32_to_cpu(h->InputBufferLength) +  in smb2_query_info_req_len()
254 		le32_to_cpu(h->OutputBufferLength);  in smb2_query_info_req_len()
259 	return le32_to_cpu(h->BufferLength);  in smb2_set_info_req_len()
264 	return le32_to_cpu(h->Length);  in smb2_read_req_len()
269 	return le32_to_cpu(h->Length);  in smb2_write_req_len()
274 	return le32_to_cpu(h->OutputBufferLength);  in smb2_query_dir_req_len()
279 	return le32_to_cpu(h->InputCount) +  in smb2_ioctl_req_len()
280 		le32_to_cpu(h->OutputCount);  in smb2_ioctl_req_len()
285 	return le32_to_cpu(h->MaxInputResponse) +  in smb2_ioctl_resp_len()
286 		le32_to_cpu(h->MaxOutputResponse);  in smb2_ioctl_resp_len()
293 	unsigned short credit_charge = le16_to_cpu(hdr->CreditCharge);  in smb2_validate_credit_charge()
297 	switch (hdr->Command) {  in smb2_validate_credit_charge()
332 	} else if (credit_charge > conn->vals->max_credits) {  in smb2_validate_credit_charge()
337 	spin_lock(&conn->credits_lock);  in smb2_validate_credit_charge()
338 	if (credit_charge > conn->total_credits) {  in smb2_validate_credit_charge()
340 			    credit_charge, conn->total_credits);  in smb2_validate_credit_charge()
344 	if ((u64)conn->outstanding_credits + credit_charge > conn->total_credits) {  in smb2_validate_credit_charge()
346 			    credit_charge, conn->outstanding_credits);  in smb2_validate_credit_charge()
349 		conn->outstanding_credits += credit_charge;  in smb2_validate_credit_charge()
351 	spin_unlock(&conn->credits_lock);  in smb2_validate_credit_charge()
359 	struct smb2_hdr *hdr = &pdu->hdr;  in ksmbd_smb2_check_message()
361 	__u32 clc_len;  /* calculated length */  in ksmbd_smb2_check_message()
362 	__u32 len = get_rfc1002_len(work->request_buf);  in ksmbd_smb2_check_message()
363 	__u32 req_struct_size, next_cmd = le32_to_cpu(hdr->NextCommand);  in ksmbd_smb2_check_message()
365 	if ((u64)work->next_smb2_rcv_hdr_off + next_cmd > len) {  in ksmbd_smb2_check_message()
373 	else if (work->next_smb2_rcv_hdr_off)  in ksmbd_smb2_check_message()
374 		len -= work->next_smb2_rcv_hdr_off;  in ksmbd_smb2_check_message()
379 	if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {  in ksmbd_smb2_check_message()
381 			    le16_to_cpu(hdr->StructureSize));  in ksmbd_smb2_check_message()
385 	command = le16_to_cpu(hdr->Command);  in ksmbd_smb2_check_message()
391 	if (smb2_req_struct_sizes[command] != pdu->StructureSize2) {  in ksmbd_smb2_check_message()
393 		    (le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_20 ||  in ksmbd_smb2_check_message()
394 		    le16_to_cpu(pdu->StructureSize2) == OP_BREAK_STRUCT_SIZE_21))) {  in ksmbd_smb2_check_message()
398 				le16_to_cpu(pdu->StructureSize2), command);  in ksmbd_smb2_check_message()
403 	req_struct_size = le16_to_cpu(pdu->StructureSize2) +  in ksmbd_smb2_check_message()
406 		req_struct_size -= sizeof(struct smb2_lock_element);  in ksmbd_smb2_check_message()
439 		if (clc_len < len && (len - clc_len) <= 8)  in ksmbd_smb2_check_message()
445 			    le64_to_cpu(hdr->MessageId));  in ksmbd_smb2_check_message()
451 	if ((work->conn->vals->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU) &&  in ksmbd_smb2_check_message()
452 	    smb2_validate_credit_charge(work->conn, hdr))  in ksmbd_smb2_check_message()