From: Qianchang Zhao <pioooooooooip@gmail.com>
Date: Wed, 22 Oct 2025 06:27:47 +0000 (+0900)
Subject: ksmbd: transport_ipc: validate payload size before reading handle
X-Git-Tag: v6.12.56~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=898d527ed94c19980a4d848f10057f1fed578ffb;p=thirdparty%2Fkernel%2Fstable.git

ksmbd: transport_ipc: validate payload size before reading handle

commit 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0 upstream.

handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
index 816f136ce5c4..ce5c50ac987c 100644
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -263,10 +263,16 @@ static void ipc_msg_handle_free(int handle)
 
 static int handle_response(int type, void *payload, size_t sz)
 {
-	unsigned int handle = *(unsigned int *)payload;
+	unsigned int handle;
 	struct ipc_msg_table_entry *entry;
 	int ret = 0;
 
+	/* Prevent 4-byte read beyond declared payload size */
+	if (sz < sizeof(unsigned int))
+		return -EINVAL;
+
+	handle = *(unsigned int *)payload;
+
 	ipc_update_last_active();
 	down_read(&ipc_msg_table_lock);
 	hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {