]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
smb: client: harden POSIX SID length parsing
authorZihan Xi <xizh2024@lzu.edu.cn>
Sun, 28 Jun 2026 09:19:24 +0000 (17:19 +0800)
committerSteve French <stfrench@microsoft.com>
Thu, 2 Jul 2026 01:19:15 +0000 (20:19 -0500)
posix_info_sid_size() reads sid[1] to obtain the subauthority count,
but its existing boundary check still accepts buffers with only one
remaining byte. Require two bytes before reading sid[1] so all client
paths that reuse the helper reject truncated POSIX SIDs safely.

Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2pdu.c

index d058584b8f05fabf372a786a5860be8d7cfe280e..77738900e75e20eb362d63890e848c060c2315a8 100644 (file)
@@ -5405,7 +5405,7 @@ int posix_info_sid_size(const void *beg, const void *end)
        size_t subauth;
        int total;
 
-       if (beg + 1 > end)
+       if (beg + 2 > end)
                return -1;
 
        subauth = *(u8 *)(beg+1);