--- /dev/null
+From 50f20b1d64076cd63bbc32b19f97968b547e7f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 22:07:38 +0900
+Subject: ksmbd: the buffer of smb2 query dir response has at least 1 byte
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit ce61b605a00502c59311d0a4b1f58d62b48272d0 ]
+
+When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
+->StructureSize is set to 9, which mean buffer has 1 byte.
+This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
+flex-array.
+
+Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
+Cc: stable@vger.kernel.org # v6.1+
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 57f59172d8212..3458f2ae5cee4 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -4160,7 +4160,8 @@ int smb2_query_dir(struct ksmbd_work *work)
+ rsp->OutputBufferLength = cpu_to_le32(0);
+ rsp->Buffer[0] = 0;
+ rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
+- sizeof(struct smb2_query_directory_rsp));
++ offsetof(struct smb2_query_directory_rsp, Buffer)
++ + 1);
+ if (rc)
+ goto err_out;
+ } else {
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
