git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zisen Ye <zisenye@stu.xidian.edu.cn>
	Wed, 6 May 2026 03:49:08 +0000 (11:49 +0800)
committer	Steve French <stfrench@microsoft.com>
	Thu, 7 May 2026 19:09:32 +0000 (14:09 -0500)
commit	8d09328dfda089675e4c049f3f256064a1d1996b
tree	8a2aa8a93ead70129a9c2bc7997c09f04b410b1a	tree \| snapshot
parent	d62b8d236fab503c6fec1d3e9a38bea71feaca20	commit \| diff

smb/client: fix out-of-bounds read in smb2_compound_op()

If a server sends a truncated response but a large OutputBufferLength, and
terminates the EA list early, check_wsl_eas() returns success without
validating that the entire OutputBufferLength fits within iov_len.

Then smb2_compound_op() does:
memcpy(idata->wsl.eas, data[0], size[0]);

Where size[0] is OutputBufferLength. If iov_len is smaller than size[0],
memcpy can read beyond the end of the rsp_iov allocation and leak adjacent
kernel heap memory.

Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/
Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA")
Cc: stable@vger.kernel.org
Signed-off-by: Zisen Ye <zisenye@stu.xidian.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>