| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKYAXd-JFuBptqzEbgggUhaF2bEfWMRXCSK9N_spiBxvi1v0Wg@mail.gmail.com>
Date: Wed, 22 Oct 2025 15:39:03 +0900
From: Namjae Jeon <linkinjeon@...nel.org>
To: Qianchang Zhao <pioooooooooip@...il.com>
Cc: Steve French <smfrench@...il.com>, Sergey Senozhatsky <senozhatsky@...omium.org>,
Tom Talpey <tom@...pey.com>, linux-cifs@...r.kernel.org, linux-kernel@...r.kernel.org,
gregkh@...uxfoundation.org, stable@...r.kernel.org
Subject: Re: [PATCH] ksmbd: transport_ipc: validate payload size before
reading handle
On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao <pioooooooooip@...il.com> wrote:
>
> handle_response() dereferences the payload as a 4-byte handle without
> verifying that the declared payload size is at least 4 bytes. A malformed
> or truncated message from ksmbd.mountd can lead to a 4-byte read past the
> declared payload size. Validate the size before dereferencing.
>
> This is a minimal fix to guard the initial handle read.
>
> Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
> Cc: stable@...r.kernel.org
> Reported-by: Qianchang Zhao <pioooooooooip@...il.com>
> Signed-off-by: Qianchang Zhao <pioooooooooip@...il.com>
I have directly updated your patch. Can you check the attached patch ?
Thanks!
View attachment "0001-ksmbd-transport_ipc-validate-payload-size-before-rea.patch" of type "text/x-patch" (1753 bytes)
Powered by blists - more mailing lists