summaryrefslogtreecommitdiff
path: root/rust/zerocopy/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorGuangshuo Li <lgs201920130244@gmail.com>2026-07-08 20:35:20 +0800
committerSteve French <stfrench@microsoft.com>2026-07-09 07:55:42 -0500
commita4f27ad055392fa164f5649e89a3637b033c5fcc (patch)
tree76b61d6fbbf927d64b56a66ec25488bd04546a53 /rust/zerocopy/git@git.tavy.me:linux-stable.git
parent75f5c412fa867efa0bf9b646bffe0d912109e84a (diff)
smb: client: fix overflow in passthrough ioctl bounds check
smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload before copying it to userspace. The payload offset and length both come from 32-bit fields. The bounds check currently adds OutputOffset and qi.input_buffer_length directly, so the addition can wrap in 32-bit arithmetic before the result is compared against the response buffer length. A malicious server can use a large OutputOffset and a small OutputCount to make the wrapped sum pass the bounds check. The later copy_to_user() then reads from io_rsp + OutputOffset, outside the response buffer. Use size_add() for the offset plus length check so overflow is treated as out of bounds. Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()") Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'rust/zerocopy/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions