From: Akif Sait <akif.sait111@gmail.com>
Date: Mon, 20 Apr 2026 01:58:26 +0000 (+0900)
Subject: ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount
X-Git-Tag: v7.1-rc1~34^2~5
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=bd0a1ca52b6da64b1a163f103b28b488b20497fe;p=thirdparty%2Flinux.git

ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount

smb2_lock() performs O(N^2) conflict detection with no cap on LockCount.
Cap lock_count at 64 to prevent CPU exhaustion from a single request.

Signed-off-by: Akif Sait <akif.sait111@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index a5d9a56cdee8..1ed44ed1aaeb 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -7491,7 +7491,12 @@ int smb2_lock(struct ksmbd_work *work)
 	lock_ele = req->locks;
 
 	ksmbd_debug(SMB, "lock count is %d\n", lock_count);
-	if (!lock_count) {
+	/*
+	 * Cap lock_count at 64. The MS-SMB2 spec defines Open.LockSequenceArray
+	 * as exactly 64 entries so 64 is the intended ceiling. No real workload
+	 * comes close to this in a single request.
+	 */
+	if (!lock_count || lock_count > 64) {
 		err = -EINVAL;
 		goto out2;
 	}