git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ye Bin <yebin10@huawei.com>
	Thu, 14 May 2026 13:14:18 +0000 (21:14 +0800)
committer	Steve French <stfrench@microsoft.com>
	Thu, 14 May 2026 14:40:17 +0000 (09:40 -0500)
commit	7d9a7f1f96cd617ee9e75bb22217c709038e26b8
tree	cb5305e6305afc4c9f33b7d3422206166b53376f	tree \| snapshot
parent	603ab5ea6482c723216b59cb733e8ba248619ee9	commit \| diff

smb/client: fix possible infinite loop and oob read in symlink_data()

On 32-bit architectures, the infinite loop is as follows:

  len = p->ErrorDataLength == 0xfffffff8
  u8 *next = p->ErrorContextData + len
  next == p

On 32-bit architectures, the out-of-bounds read is as follows:

  len = p->ErrorDataLength == 0xfffffff0
  u8 *next = p->ErrorContextData + len
  next == (u8 *)p - 8

Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+")
Cc: stable@vger.kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>