ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount

author Akif Sait <akif.sait111@gmail.com>

Mon, 20 Apr 2026 01:58:26 +0000 (10:58 +0900)

committer Steve French <stfrench@microsoft.com>

Wed, 22 Apr 2026 13:11:23 +0000 (08:11 -0500)
author Akif Sait <akif.sait111@gmail.com>
Mon, 20 Apr 2026 01:58:26 +0000 (10:58 +0900)
committer Steve French <stfrench@microsoft.com>
Wed, 22 Apr 2026 13:11:23 +0000 (08:11 -0500)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c

index a5d9a56cdee85dcc9288614f01e9f815fe1d074d..1ed44ed1aaebdc2d07e41f5dfc5a6660d7148aac 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7491,7 +7491,12 @@ int smb2_lock(struct ksmbd_work *work)
         lock_ele = req->locks;
  
         ksmbd_debug(SMB, "lock count is %d\n", lock_count);
-       if (!lock_count) {
+       /*
+        * Cap lock_count at 64. The MS-SMB2 spec defines Open.LockSequenceArray
+        * as exactly 64 entries so 64 is the intended ceiling. No real workload
+        * comes close to this in a single request.
+        */
+       if (!lock_count || lock_count > 64) {
                 err = -EINVAL;
                 goto out2;
         }
author	Akif Sait <akif.sait111@gmail.com>
	Mon, 20 Apr 2026 01:58:26 +0000 (10:58 +0900)
committer	Steve French <stfrench@microsoft.com>
	Wed, 22 Apr 2026 13:11:23 +0000 (08:11 -0500)