git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Jeremy Erazo <mendozayt13@gmail.com>
	Thu, 14 May 2026 12:03:34 +0000 (12:03 +0000)
committer	Steve French <stfrench@microsoft.com>
	Thu, 14 May 2026 15:55:28 +0000 (10:55 -0500)
commit	81a874233c305d29e37fdb70b691ff4254294c0b
tree	93641904d65f50d44d3ce0151c71f5a0cb398d66	tree \| snapshot
parent	ab26dfeba278b0efbcea012f1698cf524d9b5695	commit \| diff

smb: client: avoid integer overflow in SMB2 READ length check

SMB2 READ response validation in cifs_readv_receive() and
handle_read_data() checks data_offset + data_len against the received
buffer length.  Both values are attacker-controlled fields from the
server response and are stored as unsigned int, so the addition can
wrap before the bounds check:

fs/smb/client/transport.c:1259
if (!use_rdma_mr && (data_offset + data_len > buflen))

fs/smb/client/smb2ops.c:4839
else if (buf_len >= data_offset + data_len)

A malicious SMB server can use this to bypass validation.  In the
non-encrypted receive path the client attempts an oversized socket
read and stalls for the SMB response timeout (180 seconds) before
reconnecting.  In the SMB3 encrypted path, runtime testing shows the
malformed length can reach copy_to_iter() in handle_read_data() with
attacker-controlled size, where usercopy hardening stops the oversized
copy before bytes reach userspace.

Guard both call sites with check_add_overflow(), which is already
used elsewhere in this subsystem (smb2pdu.c).  On overflow, treat the
response as malformed and reject with -EIO.

Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

fs/smb/client/smb2ops.c		diff \| blob \| blame \| history
fs/smb/client/transport.c		diff \| blob \| blame \| history