+++ /dev/null
-From 50f20b1d64076cd63bbc32b19f97968b547e7f2d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 20 Aug 2024 22:07:38 +0900
-Subject: ksmbd: the buffer of smb2 query dir response has at least 1 byte
-
-From: Namjae Jeon <linkinjeon@kernel.org>
-
-[ Upstream commit ce61b605a00502c59311d0a4b1f58d62b48272d0 ]
-
-When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
-->StructureSize is set to 9, which mean buffer has 1 byte.
-This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
-flex-array.
-
-Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
-Cc: stable@vger.kernel.org # v6.1+
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2pdu.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
-index 57f59172d8212..3458f2ae5cee4 100644
---- a/fs/ksmbd/smb2pdu.c
-+++ b/fs/ksmbd/smb2pdu.c
-@@ -4160,7 +4160,8 @@ int smb2_query_dir(struct ksmbd_work *work)
- rsp->OutputBufferLength = cpu_to_le32(0);
- rsp->Buffer[0] = 0;
- rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
-- sizeof(struct smb2_query_directory_rsp));
-+ offsetof(struct smb2_query_directory_rsp, Buffer)
-+ + 1);
- if (rc)
- goto err_out;
- } else {
---
-2.43.0
-
ata-libata-core-fix-null-pointer-dereference-on-error.patch
cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch
net-rds-fix-possible-deadlock-in-rds_message_put.patch
-ksmbd-the-buffer-of-smb2-query-dir-response-has-at-l.patch
soundwire-stream-fix-programming-slave-ports-for-non-continous-port-maps.patch
pm-core-remove-define_universal_dev_pm_ops-macro.patch
pm-core-add-export-_gpl-_simple_dev_pm_ops-macros.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
