Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()

Next message: Nikunj A. Dadhania: "Re: [PATCH v2 2/2] crypto/ccp: Skip SNP_INIT if preparation fails"
Previous message: Manikanta Maddireddy: "Re: [PATCH 1/1] PCI: tegra194: fix min() signedness when capping ASPM L1 entrance latency"
In reply to: Greg Kroah-Hartman: "Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ChenXiaoSong

Date: Wed Apr 08 2026 - 01:59:35 EST

The for loop does not seem to catch cases where `outlen` is excessively large. In such cases, smb2_compound_op() would use this large `outlen` to `memcpy()`, which could lead to OOB.

```
smb2_compound_op()
{
...
size[0] = outlen; // very large
check_wsl_eas()
memcpy(..., outlen) // out-of-bounds
...
}
```

On 4/8/26 13:39, Greg Kroah-Hartman wrote:

On Wed, Apr 08, 2026 at 10:51:12AM +0800, ChenXiaoSong wrote:

Sashiko reported another out-of-bounds issue:
https://sashiko.dev/#/patchset/2026040635-banking-unsoiled-3250@gregkh

Should we add the following checks in check_wsl_eas()?

```
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -121,6 +121,9 @@ static int check_wsl_eas(struct kvec *rsp_iov)
ea = (void *)((u8 *)rsp_iov->iov_base +
le16_to_cpu(rsp->OutputBufferOffset));
end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
+ if (ea + outlen > end)
+ return -EINVAL;

Then you would miss any "first" structures here, as I think the for loop
catches this later on with the line:

+
for (;;) {
if ((u8 *)ea > end - sizeof(*ea))
return -EINVAL;

That one, right?

Or am I misreading this?

Pointer math is "fun" :(

thanks,

greg k-h

--
ChenXiaoSong <chenxiaosong@xxxxxxxxxx>
Chinese Homepage: chenxiaosong.com
English Homepage: chenxiaosong.com/en