]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
smb: client: fix overflow in passthrough ioctl bounds check
authorGuangshuo Li <lgs201920130244@gmail.com>
Wed, 8 Jul 2026 12:35:20 +0000 (20:35 +0800)
committerSteve French <stfrench@microsoft.com>
Thu, 9 Jul 2026 12:55:42 +0000 (07:55 -0500)
commita4f27ad055392fa164f5649e89a3637b033c5fcc
tree76b61d6fbbf927d64b56a66ec25488bd04546a53
parent75f5c412fa867efa0bf9b646bffe0d912109e84a
smb: client: fix overflow in passthrough ioctl bounds check

smb2_ioctl_query_info() validates the PASSTHRU_FSCTL response payload
before copying it to userspace.

The payload offset and length both come from 32-bit fields. The bounds
check currently adds OutputOffset and qi.input_buffer_length directly, so
the addition can wrap in 32-bit arithmetic before the result is compared
against the response buffer length.

A malicious server can use a large OutputOffset and a small OutputCount
to make the wrapped sum pass the bounds check. The later copy_to_user()
then reads from io_rsp + OutputOffset, outside the response buffer.

Use size_add() for the offset plus length check so overflow is treated as
out of bounds.

Fixes: 2b1116bbe898 ("CIFS: Use common error handling code in smb2_ioctl_query_info()")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2ops.c