[PATCH] smb: client: Fix next buffer leak in receive_encrypted_standard()

Next message: Sun Jian: "[PATCH bpf v4] selftests/bpf: Cover partial copy of non-linear test_run output"
Previous message: Salih Erim: "[PATCH v11 0/5] iio: adc: add Versal SysMon driver"
Next in thread: Steve French: "Re: [PATCH] smb: client: Fix next buffer leak in receive_encrypted_standard()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Haoxiang Li

Date: Mon Jun 22 2026 - 21:46:58 EST

receive_encrypted_standard() allocates next_buffer before checking
whether the number of compound PDUs already reached MAX_COMPOUND. If
the limit check fails, the function returns immediately and the newly
allocated next_buffer is not assigned to server->smallbuf/server->bigbuf,
making it leaked.

Move the MAX_COMPOUND check before allocating next_buffer.

Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Haoxiang Li <haoxiang_li2024@xxxxxxx>
---
fs/smb/client/smb2ops.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index a8f8feeeccb5..c39944dd40bb 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -5111,6 +5111,12 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
one_more:
shdr = (struct smb2_hdr *)buf;
next_cmd = le32_to_cpu(shdr->NextCommand);
+
+ if (*num_mids >= MAX_COMPOUND) {
+ cifs_server_dbg(VFS, "too many PDUs in compound\n");
+ return -1;
+ }
+
if (next_cmd) {
if (WARN_ON_ONCE(next_cmd > pdu_length))
return -1;
@@ -5134,10 +5140,6 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
mid_entry->resp_buf_size = server->pdu_size;
}

- if (*num_mids >= MAX_COMPOUND) {
- cifs_server_dbg(VFS, "too many PDUs in compound\n");
- return -1;
- }
bufs[*num_mids] = buf;
mids[(*num_mids)++] = mid_entry;

--
2.25.1