]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
smb: client: fix overflow in passthrough ioctl bounds check
authorGuangshuo Li <lgs201920130244@gmail.com>
Wed, 8 Jul 2026 12:35:20 +0000 (20:35 +0800)
committerSteve French <stfrench@microsoft.com>
Thu, 9 Jul 2026 12:55:42 +0000 (07:55 -0500)
smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
before copying it to userspace.

The payload offset and length both come from 32-bit fields. The bounds
check currently adds OutputOffset and qi.input_buffer_length directly, so
the addition can wrap in 32-bit arithmetic before the result is compared
against the response buffer length.

A malicious server can use a large OutputOffset and a small OutputCount
to make the wrapped sum pass the bounds check. The later copy_to_user()
then reads from io_rsp + OutputOffset, outside the response buffer.

Use size_add() for the offset plus length check so overflow is treated as
out of bounds.

Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2ops.c

index 15b3ae45c833784cc70de6de6559a165683a9904..1d60a431494b6f7f8efe1bf89acecce103f2a661 100644 (file)
@@ -1772,8 +1772,8 @@ replay_again:
                if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length)
                        qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
                if (qi.input_buffer_length > 0 &&
-                   le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
-                   > rsp_iov[1].iov_len) {
+                    size_add(le32_to_cpu(io_rsp->OutputOffset),
+                            qi.input_buffer_length) > rsp_iov[1].iov_len) {
                        rc = -EFAULT;
                        goto out;
                }