From: Namjae Jeon Date: Sun, 21 Jun 2026 10:39:59 +0000 (+0900) Subject: ksmbd: validate handle for create or get object id X-Git-Tag: v7.2-rc1~23^2~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d258465ea49d82668f52de96f3f0c84727003e4;p=thirdparty%2Fkernel%2Flinux.git ksmbd: validate handle for create or get object id FSCTL_CREATE_OR_GET_OBJECT_ID returned a dummy successful response without checking whether the request handle was valid. That let an invalid related compound handle succeed in smb2.compound.related5, although the client expected STATUS_FILE_CLOSED. Look up the file handle before building the object id response and fail with STATUS_FILE_CLOSED when the handle is invalid or already closed. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index df79533dc0a23..d3bd198ec9389 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -8789,6 +8789,15 @@ int smb2_ioctl(struct ksmbd_work *work) case FSCTL_CREATE_OR_GET_OBJECT_ID: { struct file_object_buf_type1_ioctl_rsp *obj_buf; + struct ksmbd_file *fp; + + fp = ksmbd_lookup_fd_fast(work, id); + if (!fp) { + ret = -EBADF; + rsp->hdr.Status = STATUS_FILE_CLOSED; + goto out2; + } + ksmbd_fd_put(work, fp); nbytes = sizeof(struct file_object_buf_type1_ioctl_rsp); obj_buf = (struct file_object_buf_type1_ioctl_rsp *)