]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
ksmbd: validate handle for create or get object id
authorNamjae Jeon <linkinjeon@kernel.org>
Sun, 21 Jun 2026 10:39:59 +0000 (19:39 +0900)
committerSteve French <stfrench@microsoft.com>
Tue, 23 Jun 2026 01:15:05 +0000 (20:15 -0500)
FSCTL_CREATE_OR_GET_OBJECT_ID returned a dummy successful response without
checking whether the request handle was valid. That let an invalid related
compound handle succeed in smb2.compound.related5, although the client
expected STATUS_FILE_CLOSED.

Look up the file handle before building the object id response and fail
with STATUS_FILE_CLOSED when the handle is invalid or already closed.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smb2pdu.c

index df79533dc0a233d63608a23306404810309cb7bf..d3bd198ec938953365c709709dbc18b0c1bd4288 100644 (file)
@@ -8789,6 +8789,15 @@ int smb2_ioctl(struct ksmbd_work *work)
        case FSCTL_CREATE_OR_GET_OBJECT_ID:
        {
                struct file_object_buf_type1_ioctl_rsp *obj_buf;
+               struct ksmbd_file *fp;
+
+               fp = ksmbd_lookup_fd_fast(work, id);
+               if (!fp) {
+                       ret = -EBADF;
+                       rsp->hdr.Status = STATUS_FILE_CLOSED;
+                       goto out2;
+               }
+               ksmbd_fd_put(work, fp);
 
                nbytes = sizeof(struct file_object_buf_type1_ioctl_rsp);
                obj_buf = (struct file_object_buf_type1_ioctl_rsp *)