[PATCH 6.19 464/844] ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
From: Sasha Levin
Date: Sat Feb 28 2026 - 15:18:40 EST
From: Nicholas Carlini <nicholas@xxxxxxxxxxx>
[ Upstream commit 6b4f875aac344cdd52a1f34cc70ed2f874a65757 ]
smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.
This fix replaces min_t(int, ...) with min_t(u32)
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Nicholas Carlini <nicholas@xxxxxxxxxxx>
Reviewed-by: Stefan Metzmacher <metze@xxxxxxxxx>
Acked-by: Stefan Metzmacher <metze@xxxxxxxxx>
Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
fs/smb/server/transport_rdma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index c94068b78a1d2..dcc7a6c20d6f8 100644
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -2527,9 +2527,9 @@ static int smb_direct_prepare(struct ksmbd_transport *t)
goto put;
req = (struct smbdirect_negotiate_req *)recvmsg->packet;
- sp->max_recv_size = min_t(int, sp->max_recv_size,
+ sp->max_recv_size = min_t(u32, sp->max_recv_size,
le32_to_cpu(req->preferred_send_size));
- sp->max_send_size = min_t(int, sp->max_send_size,
+ sp->max_send_size = min_t(u32, sp->max_send_size,
le32_to_cpu(req->max_receive_size));
sp->max_fragmented_send_size =
le32_to_cpu(req->max_fragmented_size);
--
2.51.0