Re: [PATCH] smb: client: Fix next buffer leak in receive_encrypted_standard()
From: Steve French
Date: Tue Jun 23 2026 - 22:23:19 EST
Merged into cifs-2.6.git for-next pending additional reviews
On Mon, Jun 22, 2026 at 8:49 PM Haoxiang Li <haoxiang_li2024@xxxxxxx> wrote:
>
> receive_encrypted_standard() allocates next_buffer before checking
> whether the number of compound PDUs already reached MAX_COMPOUND. If
> the limit check fails, the function returns immediately and the newly
> allocated next_buffer is not assigned to server->smallbuf/server->bigbuf,
> making it leaked.
>
> Move the MAX_COMPOUND check before allocating next_buffer.
>
> Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Haoxiang Li <haoxiang_li2024@xxxxxxx>
> ---
> fs/smb/client/smb2ops.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
> index a8f8feeeccb5..c39944dd40bb 100644
> --- a/fs/smb/client/smb2ops.c
> +++ b/fs/smb/client/smb2ops.c
> @@ -5111,6 +5111,12 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
> one_more:
> shdr = (struct smb2_hdr *)buf;
> next_cmd = le32_to_cpu(shdr->NextCommand);
> +
> + if (*num_mids >= MAX_COMPOUND) {
> + cifs_server_dbg(VFS, "too many PDUs in compound\n");
> + return -1;
> + }
> +
> if (next_cmd) {
> if (WARN_ON_ONCE(next_cmd > pdu_length))
> return -1;
> @@ -5134,10 +5140,6 @@ receive_encrypted_standard(struct TCP_Server_Info *server,
> mid_entry->resp_buf_size = server->pdu_size;
> }
>
> - if (*num_mids >= MAX_COMPOUND) {
> - cifs_server_dbg(VFS, "too many PDUs in compound\n");
> - return -1;
> - }
> bufs[*num_mids] = buf;
> mids[(*num_mids)++] = mid_entry;
>
> --
> 2.25.1
>
>
--
Thanks,
Steve