--- /dev/null
+From 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 Mon Sep 17 00:00:00 2001
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+Date: Wed, 22 Oct 2025 15:27:47 +0900
+Subject: ksmbd: transport_ipc: validate payload size before reading handle
+
+From: Qianchang Zhao <pioooooooooip@gmail.com>
+
+commit 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 upstream.
+
+handle_response() dereferences the payload as a 4-byte handle without
+verifying that the declared payload size is at least 4 bytes. A malformed
+or truncated message from ksmbd.mountd can lead to a 4-byte read past the
+declared payload size. Validate the size before dereferencing.
+
+This is a minimal fix to guard the initial handle read.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -249,10 +249,16 @@ static void ipc_msg_handle_free(int hand
+
+ static int handle_response(int type, void *payload, size_t sz)
+ {
+- unsigned int handle = *(unsigned int *)payload;
++ unsigned int handle;
+ struct ipc_msg_table_entry *entry;
+ int ret = 0;
+
++ /* Prevent 4-byte read beyond declared payload size */
++ if (sz < sizeof(unsigned int))
++ return -EINVAL;
++
++ handle = *(unsigned int *)payload;
++
+ ipc_update_last_active();
+ down_read(&ipc_msg_table_lock);
+ hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
