From e50a07437a9ef5a3b2efe414643e2cdcb6b2e644 Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Sun, 21 Jun 2026 19:40:37 +0900 Subject: [PATCH] ksmbd: preserve compound responses for chained errors set_smb2_rsp_status() resets the response iov and compound offsets before building an error response. That is fine for a single request, but it corrupts a compound response when an error is detected after an earlier compound element has already been completed. smb2.compound.invalid4 sends a READ as the first compound element and a bogus command as the second one. The READ response must remain in the compound response with STATUS_END_OF_FILE, followed by the bogus command response with STATUS_INVALID_PARAMETER. Resetting the response state for the second command breaks the compound framing and the client reports NT_STATUS_INVALID_NETWORK_RESPONSE. When setting an error for a chained command, update and pin only the current compound response slot instead of resetting the whole response. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- fs/smb/server/smb2pdu.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index d3bd198ec9389..35f23b427bd17 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -246,6 +246,13 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err) { struct smb2_hdr *rsp_hdr; + if (work->next_smb2_rcv_hdr_off) { + rsp_hdr = ksmbd_resp_buf_next(work); + rsp_hdr->Status = err; + smb2_set_err_rsp(work); + return; + } + rsp_hdr = smb_get_msg(work->response_buf); rsp_hdr->Status = err; -- 2.47.3