]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
ksmbd: preserve compound responses for chained errors
authorNamjae Jeon <linkinjeon@kernel.org>
Sun, 21 Jun 2026 10:40:37 +0000 (19:40 +0900)
committerSteve French <stfrench@microsoft.com>
Tue, 23 Jun 2026 01:15:05 +0000 (20:15 -0500)
set_smb2_rsp_status() resets the response iov and compound offsets before
building an error response. That is fine for a single request, but it
corrupts a compound response when an error is detected after an earlier
compound element has already been completed.

smb2.compound.invalid4 sends a READ as the first compound element and a
bogus command as the second one. The READ response must remain in
the compound response with STATUS_END_OF_FILE, followed by the bogus
command response with STATUS_INVALID_PARAMETER. Resetting the response
state for the second command breaks the compound framing and the client
reports NT_STATUS_INVALID_NETWORK_RESPONSE.

When setting an error for a chained command, update and pin only
the current compound response slot instead of resetting the whole response.

Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/server/smb2pdu.c

index d3bd198ec938953365c709709dbc18b0c1bd4288..35f23b427bd1754772ec1f6ccb682d92748b4752 100644 (file)
@@ -246,6 +246,13 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err)
 {
        struct smb2_hdr *rsp_hdr;
 
+       if (work->next_smb2_rcv_hdr_off) {
+               rsp_hdr = ksmbd_resp_buf_next(work);
+               rsp_hdr->Status = err;
+               smb2_set_err_rsp(work);
+               return;
+       }
+
        rsp_hdr = smb_get_msg(work->response_buf);
        rsp_hdr->Status = err;