| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260122021015.1954-2-qikeyu2017@gmail.com>
Date: Thu, 22 Jan 2026 10:10:16 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: linkinjeon@...nel.org,
smfrench@...il.com
Cc: senozhatsky@...omium.org,
tom@...pey.com,
mmakassikis@...ebox.fr,
linux-cifs@...r.kernel.org,
linux-kernel@...r.kernel.org,
Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] ksmbd: validate DataOffset in smb2_write_pipe()
The check of DataOffset in smb2_write_pipe() is insufficient. If
DataOffset is 0 or smaller than offsetof(struct smb2_write_req, Buffer),
data_buf will point to the SMB2 header instead of the actual data
buffer, leading to out-of-bounds read.
This is the same issue that was fixed in smb2_write() by commit
ac60778b87e4 ("ksmbd: prevent out of bound read for SMB2_WRITE"),
but the fix was not applied to smb2_write_pipe().
Add a check to ensure DataOffset is at least offsetof(struct
smb2_write_req, Buffer) to prevent this issue.
Fixes: 158a66b245739 ("ksmbd: validate length in smb2_write()")
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
fs/smb/server/smb2pdu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 2fcd0d4d1fb0..1f1086023e74 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6932,6 +6932,12 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work)
goto out;
}
+ if (le16_to_cpu(req->DataOffset) <
+ offsetof(struct smb2_write_req, Buffer)) {
+ err = -EINVAL;
+ goto out;
+ }
+
data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
le16_to_cpu(req->DataOffset));
--
2.34.1
Powered by blists - more mailing lists