git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Nicholas Carlini <nicholas@carlini.com>
	Thu, 19 Feb 2026 11:58:57 +0000 (20:58 +0900)
committer	Sasha Levin <sashal@kernel.org>
	Wed, 4 Mar 2026 12:20:53 +0000 (07:20 -0500)
commit	55abc475d096da4a5356b6efb0cfdc6156bc1550
tree	982ec99f035c71afd79db9c5b6c3d800df76d771	tree \| snapshot
parent	7dba6cd7fb168d7615194a631c9c100c1c224131	commit \| diff

ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

[ Upstream commit 6b4f875aac344cdd52a1f34cc70ed2f874a65757 ]

smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.

By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.

This fix replaces min_t(int, ...) with min_t(u32)

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>