diff options
| author | Guangshuo Li <lgs201920130244@gmail.com> | 2026-07-08 20:35:20 +0800 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-07-09 07:55:42 -0500 |
| commit | a4f27ad055392fa164f5649e89a3637b033c5fcc (patch) | |
| tree | 76b61d6fbbf927d64b56a66ec25488bd04546a53 /rust/kernel/drm/gpuvm/git@git.tavy.me:linux-stable.git | |
| parent | 75f5c412fa867efa0bf9b646bffe0d912109e84a (diff) | |
smb: client: fix overflow in passthrough ioctl bounds check
smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
before copying it to userspace.
The payload offset and length both come from 32-bit fields. The bounds
check currently adds OutputOffset and qi.input_buffer_length directly, so
the addition can wrap in 32-bit arithmetic before the result is compared
against the response buffer length.
A malicious server can use a large OutputOffset and a small OutputCount
to make the wrapped sum pass the bounds check. The later copy_to_user()
then reads from io_rsp + OutputOffset, outside the response buffer.
Use size_add() for the offset plus length check so overflow is treated as
out of bounds.
Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'rust/kernel/drm/gpuvm/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
