Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()

Next message: Lukas Wunner: "[PATCH] crypto: ecc - Unbreak the build on arm with CONFIG_KASAN_STACK=y"
Previous message: Nick Hu: "Re: [PATCH v3] dt-bindings: timer: Add SiFive CLINT2"
In reply to: ChenXiaoSong: "Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()"
Next in thread: ChenXiaoSong: "Re: [PATCH 1/2] smb: client: fix off-by-8 bounds check in check_wsl_eas()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Wed Apr 08 2026 - 02:16:00 EST

On Wed, Apr 08, 2026 at 01:58:27PM +0800, ChenXiaoSong wrote:
> The for loop does not seem to catch cases where `outlen` is excessively
> large. In such cases, smb2_compound_op() would use this large `outlen` to
> `memcpy()`, which could lead to OOB.
>
> ```
> smb2_compound_op()
> {
> ...
> size[0] = outlen; // very large
> check_wsl_eas()
> memcpy(..., outlen) // out-of-bounds
> ...
> }
> ```

Ah, I missed the caller site. Yeah, probably a good thing to check as
well, want to make up a patch?

thanks,
greg k-h