| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251021145449.473932-1-pioooooooooip@gmail.com>
Date: Tue, 21 Oct 2025 23:54:49 +0900
From: Qianchang Zhao <pioooooooooip@...il.com>
To: Namjae Jeon <linkinjeon@...nel.org>,
Steve French <smfrench@...il.com>
Cc: Sergey Senozhatsky <senozhatsky@...omium.org>,
Tom Talpey <tom@...pey.com>,
linux-cifs@...r.kernel.org,
linux-kernel@...r.kernel.org,
gregkh@...uxfoundation.org,
Qianchang Zhao <pioooooooooip@...il.com>,
stable@...r.kernel.org
Subject: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle
handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.
This is a minimal fix to guard the initial handle read.
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@...r.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@...il.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@...il.com>
---
fs/smb/server/transport_ipc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 46f87fd1ce1c..2028de4d3ddf 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -263,6 +263,10 @@ static void ipc_msg_handle_free(int handle)
static int handle_response(int type, void *payload, size_t sz)
{
+ /* Prevent 4-byte read beyond declared payload size */
+ if (sz < sizeof(unsigned int))
+ return -EINVAL;
+
unsigned int handle = *(unsigned int *)payload;
struct ipc_msg_table_entry *entry;
int ret = 0;
--
2.34.1
Powered by blists - more mailing lists