Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()

Next message: Peter Chen (CIX): "Re: [PATCH v2 2/3] usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change"
Previous message: Sen Wang: "[PATCH v4 3/4] Documentation: sound: Add TAS675x codec mixer controls documentation"
Next in thread: ChenXiaoSong: "Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Wed Apr 08 2026 - 01:39:22 EST

On Wed, Apr 08, 2026 at 10:51:12AM +0800, ChenXiaoSong wrote:
> Sashiko reported another out-of-bounds issue:
> https://sashiko.dev/#/patchset/2026040635-banking-unsoiled-3250@gregkh
>
> Should we add the following checks in check_wsl_eas()?
>
> ```
> --- a/fs/smb/client/smb2inode.c
> +++ b/fs/smb/client/smb2inode.c
> @@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)
> ea = (void *)((u8 *)rsp_iov->iov_base +
> le16_to_cpu(rsp->OutputBufferOffset));
> end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
> + if (ea + outlen > end)
> + return -EINVAL;

Then you would miss any "first" structures here, as I think the for loop
catches this later on with the line:

> +
> for (;;) {
> if ((u8 *)ea > end - sizeof(*ea))
> return -EINVAL;

That one, right?

Or am I misreading this?

Pointer math is "fun" :(

thanks,

greg k-h