[{"id":3674667,"web_url":"http://patchwork.ozlabs.org/comment/3674667/","msgid":"<297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com>","list_archive_url":null,"date":"2026-04-08T09:01:56","subject":"Re: [PATCH 2/2] smb: client: fix OOB reads parsing symlink error\n response","submitter":{"id":88754,"url":"http://patchwork.ozlabs.org/api/people/88754/","name":"ChenXiaoSong","email":"chenxiaosong@chenxiaosong.com"},"content":"Sashiko reported the following out-of-bounds issue. I have checked and \nconfirmed that this indeed causes an OOB access.\n\nWhen create fails on symlink, `len` in `smb2_check_message()` may be \nsmaller than `calc_len`. The function flow is as follows:\n\n```\nsmb2_check_message()\n   // ensure StructureSize2 is 9\n   if (... pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2_LE ...) // \nfalse\n   smb2_calc_size()\n     len = le16_to_cpu(shdr->StructureSize) == 64\n     len += le16_to_cpu(pdu->StructureSize2) == 64 + 9\n     smb2_get_data_area_len\n       if (shdr->StructureSize == 9) // true, return NULL\n   calc_len == 64 + 9\n   if (len != calc_len) { // true\n   /* create failed on symlink */\n   if (command == SMB2_CREATE_HE && shdr->Status == \nSTATUS_STOPPED_ON_SYMLINK) // true\n```\n\n\n\nShould we add the following check? Or check it in symlink_data()?\n\n```\n-- a/fs/smb/client/smb2misc.c\n+++ b/fs/smb/client/smb2misc.c\n@@ -241,7 +241,8 @@ smb2_check_message(char *buf, unsigned int pdu_len, \nunsigned int len,\n         if (len != calc_len) {\n                 /* create failed on symlink */\n                 if (command == SMB2_CREATE_HE &&\n-                   shdr->Status == STATUS_STOPPED_ON_SYMLINK)\n+                   shdr->Status == STATUS_STOPPED_ON_SYMLINK &&\n+                   len > calc_len)\n                         return 0;\n                 /* Windows 7 server returns 24 bytes more */\n                 if (calc_len + 24 == len && command == \nSMB2_OPLOCK_BREAK_HE)\n\n```\n\n>> --- a/fs/smb/client/smb2file.c\n>> +++ b/fs/smb/client/smb2file.c\n>> @@ -27,10 +27,11 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)\n>>  {\n>>  \tstruct smb2_err_rsp *err = iov->iov_base;\n>>  \tstruct smb2_symlink_err_rsp *sym = ERR_PTR(-EINVAL);\n>> +\tu8 *end = (u8 *)err + iov->iov_len;\n>>  \tu32 len;\n>>  \n>>  \tif (err->ErrorContextCount) {\n> Since smb2_check_message() returns success without length validation for\n> the symlink error response, is it possible for iov->iov_len to be smaller\n> than sizeof(struct smb2_err_rsp)?\n> If the buffer only contains the base SMB2 header (64 bytes), does accessing\n> err->ErrorContextCount (at offset 66) or err->ByteCount later in this\n> function cause an out-of-bounds read?","headers":{"Return-Path":"\n <linux-cifs+bounces-10715-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-cifs@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.a=rsa-sha256 header.s=key1 header.b=P9jtNP0T;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10715-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=\"P9jtNP0T\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=95.215.58.188","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=chenxiaosong.com"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frHDj3q44z1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 19:04:05 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id C2E453010770\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  8 Apr 2026 09:03:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5B80737AA9D;\n\tWed,  8 Apr 2026 09:03:13 +0000 (UTC)","from out-188.mta1.migadu.com (out-188.mta1.migadu.com\n [95.215.58.188])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E2A023AB280\n\tfor <linux-cifs@vger.kernel.org>; Wed,  8 Apr 2026 09:03:03 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775638991; cv=none;\n b=SWSBoR/NpnfGO81J9oxiS7xWQl9jia1Ocpmilce/bYtg8Vtd5I3kYYiWzRa8Qbi2XbnKZjlmZTNKSBAbbSSInk14PdLJUuFAoWzJggOJU5NHErGeDDX74JAbRQ5vNGknFYxycpV+vqvVqxyDKotox9V6EVffgwy8Dqs2Gmlt97A=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775638991; c=relaxed/simple;\n\tbh=g6JGZLF4kDQIjsoQc7aNXnux8kxHQHVFu1AogK0yg3Y=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=pbtpm7kwKqvJE8VaRzW5jdWLLZKDpATS3mmRwCi8T4OBbqU8hHOqZUq+C8FAeTl4fN8Gk+Djb2D6TGwScG7NGJl1rtOGaGSeugyOa0WjumP9sbauXFcXmW0q0+N9zajxCkmcw3eEVBzXhhwzvSyYJkHdzr4Vrl/0nBCkhfIiAzQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=chenxiaosong.com;\n spf=pass smtp.mailfrom=chenxiaosong.com;\n dkim=pass (2048-bit key) header.d=chenxiaosong.com header.i=@chenxiaosong.com\n header.b=P9jtNP0T; arc=none smtp.client-ip=95.215.58.188","Message-ID":"<297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=chenxiaosong.com;\n\ts=key1; t=1775638978;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\t to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=3CxCd6+uKaKswFIJJljIljFxiZ3MHsg6eAmb6ukrn6I=;\n\tb=P9jtNP0T4q1jVjQDrO01BV3Z0HUwLeuHJV8TPN7k7cGcRatgTahODx39Ou3UYlfqsiyGoj\n\txzysYB7k0y6o9QqTpBjslLhQUZY/xpLtQkRLQO08reclVeEirFwl/G+HmciOIMafOoCfon\n\tyRmXudYTW8u6kP7h4MIYLFCrHxC9TrnqMTiPI3xKTqeoVk9QAJU757aflYwcLx88w3qT4V\n\t9lFSs2nA2IbUnHXiUNvEnACCKSjlNt9pccpMTEYjXBuzlfdlFBS/SwPLqRfeVmBGRRCnbe\n\tA2g0dVpthGjDrTaayr/6sRvyslZhDNvftoaUuokYEsHZiJFAHl8yZMtGfYBaoQ==","Date":"Wed, 8 Apr 2026 17:01:56 +0800","Precedence":"bulk","X-Mailing-List":"linux-cifs@vger.kernel.org","List-Id":"<linux-cifs.vger.kernel.org>","List-Subscribe":"<mailto:linux-cifs+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-cifs+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Subject":"Re: [PATCH 2/2] smb: client: fix OOB reads parsing symlink error\n response","To":"Greg Kroah-Hartman <gregkh@linuxfoundation.org>,\n linux-cifs@vger.kernel.org","Cc":"linux-kernel@vger.kernel.org, Steve French <sfrench@samba.org>,\n Paulo Alcantara <pc@manguebit.org>,\n Ronnie Sahlberg <ronniesahlberg@gmail.com>,\n Shyam Prasad N <sprasad@microsoft.com>, Tom Talpey <tom@talpey.com>,\n Bharath SM <bharathsm@microsoft.com>, samba-technical@lists.samba.org,\n stable <stable@kernel.org>","References":"<2026040635-banking-unsoiled-3250@gregkh>\n <2026040636-icy-constable-9e17@gregkh>","Content-Language":"en-US","X-Report-Abuse":"Please report any abuse attempt to abuse@migadu.com and\n include these headers.","From":"ChenXiaoSong <chenxiaosong@chenxiaosong.com>","In-Reply-To":"<2026040636-icy-constable-9e17@gregkh>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Migadu-Flow":"FLOW_OUT"}}]