ksmbd: move leading slash check to smb2_get_name()

If the directory name in the root of the share starts with
character like 镜(0x955c) or Ṝ(0x1e5c), it (and anything inside)
cannot be accessed. The leading slash check must be checked after
converting unicode to nls string.

Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index b6c5a8ea388791d2c6fbb2fc599cc3284f6ff3d3..f79d06d2d655cfecfcc8c49aaf33f828b0cad29f 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -630,6 +630,12 @@ smb2_get_name(const char *src, const int maxlen, struct nls_table *local_nls)
                return name;
        }
 
+       if (*name == '\\') {
+               pr_err("not allow directory name included leading slash\n");
+               kfree(name);
+               return ERR_PTR(-EINVAL);
+       }
+
        ksmbd_conv_path_to_unix(name);
        ksmbd_strip_last_slash(name);
        return name;
@@ -2842,20 +2848,11 @@ int smb2_open(struct ksmbd_work *work)
        }
 
        if (req->NameLength) {
-               if ((req->CreateOptions & FILE_DIRECTORY_FILE_LE) &&
-                   *(char *)req->Buffer == '\\') {
-                       pr_err("not allow directory name included leading slash\n");
-                       rc = -EINVAL;
-                       goto err_out2;
-               }
-
                name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset),
                                     le16_to_cpu(req->NameLength),
                                     work->conn->local_nls);
                if (IS_ERR(name)) {
                        rc = PTR_ERR(name);
-                       if (rc != -ENOMEM)
-                               rc = -ENOENT;
                        name = NULL;
                        goto err_out2;
                }