Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2224945/?format=api
{ "id": 2224945, "url": "http://patchwork.ozlabs.org/api/patches/2224945/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420001131.2865776-1-michael.bommarito@gmail.com/", "project": { "id": 12, "url": "http://patchwork.ozlabs.org/api/projects/12/?format=api", "name": "Linux CIFS Client", "link_name": "linux-cifs-client", "list_id": "linux-cifs.vger.kernel.org", "list_email": "linux-cifs@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260420001131.2865776-1-michael.bommarito@gmail.com>", "list_archive_url": null, "date": "2026-04-20T00:11:31", "name": "[v2] smb: client: validate the whole DACL before rewriting it in cifsacl", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "5fa3cb139fcf2e5e45e309dffefc2e8bf077f997", "submitter": { "id": 93078, "url": "http://patchwork.ozlabs.org/api/people/93078/?format=api", "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-cifs-client/patch/20260420001131.2865776-1-michael.bommarito@gmail.com/mbox/", "series": [ { "id": 500533, "url": "http://patchwork.ozlabs.org/api/series/500533/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-cifs-client/list/?series=500533", "date": "2026-04-20T00:11:31", "name": "[v2] smb: client: validate the whole DACL before rewriting it in cifsacl", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/500533/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224945/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224945/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <linux-cifs+bounces-10919-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-cifs@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=a+kuI2uw;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-cifs+bounces-10919-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"a+kuI2uw\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.222.182", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzQsF6snHz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 10:12:01 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2485D30136B2\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 20 Apr 2026 00:11:57 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3863C40DFC7;\n\tMon, 20 Apr 2026 00:11:56 +0000 (UTC)", "from mail-qk1-f182.google.com (mail-qk1-f182.google.com\n [209.85.222.182])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 92A012772D\n\tfor <linux-cifs@vger.kernel.org>; Mon, 20 Apr 2026 00:11:54 +0000 (UTC)", "by mail-qk1-f182.google.com with SMTP id\n af79cd13be357-8d428da4300so273103085a.3\n for <linux-cifs@vger.kernel.org>;\n Sun, 19 Apr 2026 17:11:54 -0700 (PDT)", "from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])\n by smtp.gmail.com with ESMTPSA id\n af79cd13be357-8e7d5fe98dcsm697020185a.7.2026.04.19.17.11.52\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Sun, 19 Apr 2026 17:11:52 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776643916; cv=none;\n b=MTNjv3Ij57EpMQ/VjhNc7I27NGJde6QOmYSFilMa1ie+rhxNd0kuWFhvMfWLXSj378oKMIL9w5ZvkLylUg+REzUoyC13EgFyfD1aGY+lGfjSlEY+HbrtUaJijN+2Au5+BxK+q2mlzJKPuS89aDA7yVTQ+FZ064+Eza1Nv+EobuQ=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776643916; c=relaxed/simple;\n\tbh=J0TaXRSUoiYBKYMpUV1WlkKcXmHlIrtK82jnx1iaS8c=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=KhvoMhtfU2gKwkyLCsIDMNHSEAqPpsd8p9h/5lrt2x8oCsQpGL4LmQiU+sT27BRcWzuu7MiqXmH4QB4F8mb7cp2QHwNTS8Ow+mFg+BeUU0EaaE808FdWD8+8Hh9ARnb4YbRlAKR2Nz+TxgR5NIpuCtoYWgSz/zYMhsB/AY0Dyeo=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=a+kuI2uw; arc=none smtp.client-ip=209.85.222.182", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776643913; x=1777248713;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=7xQF2kYy2mawb58IYNylnXRWgmSB/uAYm2CtIu/gV9E=;\n b=a+kuI2uwbQXvOGkzTWXIcL9ln2Y+lrEuhnYVur2heeY5ZBwqj+De3+VXEPSNgWarvc\n NGmJpIFL06FiJXo/+6DTYsWrRq+wUX2ZY5CAv8fiDvy2n1+DRaDbPjDZd7AMQJfDStqR\n rZC7+WS8FOYY6UWIvIu7VZV1DsGDi/x96rhT6zc8PcUO0HU7TUAXis1z0wL5MwFkZWy1\n vUDS82Pw6IB9ykhygoQuRpwWQyaKf6fN4SWGtfovW/ayfz5r2W+Ty3O/OFjCO4dsJA6s\n RdZ6xRtz1ZiXuoH0zpmxX0So8HAXBAlUJsZ8zf4dDPQVZsoHa0obuQRy5+qIJk4I0A+n\n OkNw==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776643913; x=1777248713;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=7xQF2kYy2mawb58IYNylnXRWgmSB/uAYm2CtIu/gV9E=;\n b=PKMwM7P1l7FK34HCWaNNqfYj8MZ4qq5HB6Dj/pz/lT6QpCPZxbqNTIh5aldteMGUCl\n Y5sT7qFn1e1QvBubPqCMO7n0z5sryRPuf4rOZyx1JVymmR9XmmEaxCqi6ed7Vh8QOjRz\n 1IMuuQWifJKJ6iZ1JQZQXOB/v5ah2XgiIoYXnvV5JVsg1bFcSBhVsmt/yhgSAqhb4LWC\n 2x7tpWm3RttyeduEYWHvvMf3Q5Lg7YAEvJid/KaXYDS0tRda3wmTUPZH0TSpbHHCR4aG\n FAZjFhQSs1M/dEeP9veLlD3xxCC5xvj8ISDqNG9ZYj1/CnYe8Mt5kmKlbmdiQV6vb3Wf\n dQDg==", "X-Forwarded-Encrypted": "i=1;\n AFNElJ828dVxkBUwtBdzIMFZMg8Ofes2HEJzUeO5reydZxwnDwe99x/EGuapzesLb67/xiSbNg5R0O+a/qf9@vger.kernel.org", "X-Gm-Message-State": "AOJu0YyjKkIaxtHs9gV/2ByLXHd/uzPgvlNwxVKCT7d3Lm5/2aH7TXMV\n\tTF2zklsFhZCcPUNT56FE5544Z9NdAbEwdaXZwCbBuWu1jYd9Idyn+MFo", "X-Gm-Gg": "AeBDiet09lLfSuy3cBm8nliEDRccAn86pVQomdENENKe0ZcPh8TF/j/f1B6dFVh89pw\n\tTS0I5Pl6CXyO120hS2XxByN6YLtC7ENK2Bny8k6PSFGC0KxQk9MJBS6zbFAqr3gjTU5y9CtAFGl\n\t8BmVxLiOUiv9QEp0ddmUujyysx/qX1aCYqUYXbURGeCEPLSMX7RJmsv3OeMqx6hH/vwEdE2GgY5\n\tbW0d8FQc1rObpWp6XB8+PQVKNxulmSKuF9DyP5m7QO6R8PSqYDGl0NgyHIxIFYz50sUb9nqWAEf\n\tzNngP2KPPvwrGj8FlZw2chLzmwrElD82Tsgm9mwBko7hDk9EuCACyvMPB4Z6vUg/WByWTjQ6oyN\n\t9fsJboD3jlfibYKzOORbxT/09YGzu8CQe7bX9g3J3moPjtn4N1gyHBSBeCVn7RYJ1yEGXS4NF21\n\tJGQg2/OrTscJrjuh48nj6uMzCnmokUwH3FkzmCZNxHNHN1A4zrgiaVhJPS5aolx7hGunoLfed5H\n\tTgusfvLOYqTqXXZhBEKUTnHhrFes3c=", "X-Received": "by 2002:a05:620a:2914:b0:8da:cfe6:c67c with SMTP id\n af79cd13be357-8e7918a348amr1630968185a.28.1776643913509;\n Sun, 19 Apr 2026 17:11:53 -0700 (PDT)", "From": "Michael Bommarito <michael.bommarito@gmail.com>", "To": "Steve French <sfrench@samba.org>,\n\tNamjae Jeon <linkinjeon@kernel.org>,\n\tlinux-cifs@vger.kernel.org", "Cc": "Paulo Alcantara <pc@manguebit.org>,\n\tRonnie Sahlberg <ronniesahlberg@gmail.com>,\n\tShyam Prasad N <sprasad@microsoft.com>,\n\tTom Talpey <tom@talpey.com>,\n\tBharath SM <bharathsm@microsoft.com>,\n\tstable@vger.kernel.org", "Subject": "[PATCH v2] smb: client: validate the whole DACL before rewriting it\n in cifsacl", "Date": "Sun, 19 Apr 2026 20:11:31 -0400", "Message-ID": "<20260420001131.2865776-1-michael.bommarito@gmail.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260416193325.2950619-1-michael.bommarito@gmail.com>", "References": "<20260416193325.2950619-1-michael.bommarito@gmail.com>", "Precedence": "bulk", "X-Mailing-List": "linux-cifs@vger.kernel.org", "List-Id": "<linux-cifs.vger.kernel.org>", "List-Subscribe": "<mailto:linux-cifs+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-cifs+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a\nserver-supplied dacloffset and then use the incoming ACL to rebuild the\nchmod/chown security descriptor.\n\nThe original fix only checked that the struct smb_acl header fits before\nreading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate\nheader-field OOB read, but the rewrite helpers still walk ACEs based on\npdacl->num_aces with no structural validation of the incoming DACL body.\n\nA malicious server can return a truncated DACL that still contains a\nheader, claims one or more ACEs, and then drive\nreplace_sids_and_copy_aces() or set_chmod_dacl() past the validated\nextent while they compare or copy attacker-controlled ACEs.\n\nFactor the DACL structural checks into validate_dacl(), extend them to\nvalidate each ACE against the DACL bounds, and use the shared validator\nbefore the chmod/chown rebuild paths. parse_dacl() reuses the same\nvalidator so the read-side parser and write-side rewrite paths agree on\nwhat constitutes a well-formed incoming DACL.\n\nFixes: bc3e9dd9d104 (\"cifs: Change SIDs in ACEs while transferring file ownership.\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-6\nAssisted-by: Codex:gpt-5-4\nSigned-off-by: Michael Bommarito <michael.bommarito@gmail.com>\n---\nChanges in v2:\nValidate the whole incoming DACL before the chmod/chown rewrite helpers\nuse num_aces or ACE contents, not just the smb_acl header fields.\nFactor the structural checks into validate_dacl() and reuse the same\nvalidator in parse_dacl() so the read-side parser and rewrite paths stay\nin sync.\nReran UML synthetic build_sec_desc() tests and confirmed that both the\nexact-end dacloffset case and the header-only num_aces case now fail\nwith -EINVAL, while an empty valid DACL still succeeds.\n\n fs/smb/client/cifsacl.c | 116 +++++++++++++++++++++++++++++-----------\n 1 file changed, 85 insertions(+), 31 deletions(-)", "diff": "diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c\nindex c920039d733c..cb4060ba5e31 100644\n--- a/fs/smb/client/cifsacl.c\n+++ b/fs/smb/client/cifsacl.c\n@@ -758,6 +758,77 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl)\n }\n #endif\n \n+static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl)\n+{\n+\tint i, ace_hdr_size, ace_size, min_ace_size;\n+\tu16 dacl_size, num_aces;\n+\tchar *acl_base, *end_of_dacl;\n+\tstruct smb_ace *pace;\n+\n+\tif (!pdacl)\n+\t\treturn 0;\n+\n+\tif (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) {\n+\t\tcifs_dbg(VFS, \"ACL too small to parse DACL\\n\");\n+\t\treturn -EINVAL;\n+\t}\n+\n+\tdacl_size = le16_to_cpu(pdacl->size);\n+\tif (dacl_size < sizeof(struct smb_acl) ||\n+\t end_of_acl < (char *)pdacl + dacl_size) {\n+\t\tcifs_dbg(VFS, \"ACL too small to parse DACL\\n\");\n+\t\treturn -EINVAL;\n+\t}\n+\n+\tnum_aces = le16_to_cpu(pdacl->num_aces);\n+\tif (!num_aces)\n+\t\treturn 0;\n+\n+\tace_hdr_size = offsetof(struct smb_ace, sid) +\n+\t\toffsetof(struct smb_sid, sub_auth);\n+\tmin_ace_size = ace_hdr_size + sizeof(__le32);\n+\tif (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) {\n+\t\tcifs_dbg(VFS, \"ACL too small to parse DACL\\n\");\n+\t\treturn -EINVAL;\n+\t}\n+\n+\tend_of_dacl = (char *)pdacl + dacl_size;\n+\tacl_base = (char *)pdacl;\n+\tace_size = sizeof(struct smb_acl);\n+\n+\tfor (i = 0; i < num_aces; ++i) {\n+\t\tif (end_of_dacl - acl_base < ace_size) {\n+\t\t\tcifs_dbg(VFS, \"ACL too small to parse ACE\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\n+\t\tpace = (struct smb_ace *)(acl_base + ace_size);\n+\t\tacl_base = (char *)pace;\n+\n+\t\tif (end_of_dacl - acl_base < ace_hdr_size ||\n+\t\t pace->sid.num_subauth == 0 ||\n+\t\t pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {\n+\t\t\tcifs_dbg(VFS, \"ACL too small to parse ACE\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\n+\t\tace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;\n+\t\tif (end_of_dacl - acl_base < ace_size ||\n+\t\t le16_to_cpu(pace->size) < ace_size) {\n+\t\t\tcifs_dbg(VFS, \"ACL too small to parse ACE\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\n+\t\tace_size = le16_to_cpu(pace->size);\n+\t\tif (end_of_dacl - acl_base < ace_size) {\n+\t\t\tcifs_dbg(VFS, \"ACL too small to parse ACE\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\t}\n+\n+\treturn 0;\n+}\n+\n static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \t\t struct smb_sid *pownersid, struct smb_sid *pgrpsid,\n \t\t struct cifs_fattr *fattr, bool mode_from_special_sid)\n@@ -765,7 +836,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \tint i;\n \tu16 num_aces = 0;\n \tint acl_size;\n-\tchar *acl_base;\n+\tchar *acl_base, *end_of_dacl;\n \tstruct smb_ace **ppace;\n \n \t/* BB need to add parm so we can store the SID BB */\n@@ -777,12 +848,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \t\treturn;\n \t}\n \n-\t/* validate that we do not go past end of acl */\n-\tif (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||\n-\t end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {\n-\t\tcifs_dbg(VFS, \"ACL too small to parse DACL\\n\");\n+\tif (validate_dacl(pdacl, end_of_acl))\n \t\treturn;\n-\t}\n \n \tcifs_dbg(NOISY, \"DACL revision %d size %d num aces %d\\n\",\n \t\t le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),\n@@ -793,6 +860,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \t user/group/other have no permissions */\n \tfattr->cf_mode &= ~(0777);\n \n+\tend_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);\n \tacl_base = (char *)pdacl;\n \tacl_size = sizeof(struct smb_acl);\n \n@@ -800,35 +868,15 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \tif (num_aces > 0) {\n \t\tumode_t denied_mode = 0;\n \n-\t\tif (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /\n-\t\t\t\t(offsetof(struct smb_ace, sid) +\n-\t\t\t\t offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))\n-\t\t\treturn;\n-\n \t\tppace = kmalloc_objs(struct smb_ace *, num_aces);\n \t\tif (!ppace)\n \t\t\treturn;\n \n \t\tfor (i = 0; i < num_aces; ++i) {\n-\t\t\tif (end_of_acl - acl_base < acl_size)\n-\t\t\t\tbreak;\n-\n \t\t\tppace[i] = (struct smb_ace *) (acl_base + acl_size);\n-\t\t\tacl_base = (char *)ppace[i];\n-\t\t\tacl_size = offsetof(struct smb_ace, sid) +\n-\t\t\t\toffsetof(struct smb_sid, sub_auth);\n-\n-\t\t\tif (end_of_acl - acl_base < acl_size ||\n-\t\t\t ppace[i]->sid.num_subauth == 0 ||\n-\t\t\t ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||\n-\t\t\t (end_of_acl - acl_base <\n-\t\t\t acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||\n-\t\t\t (le16_to_cpu(ppace[i]->size) <\n-\t\t\t acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))\n-\t\t\t\tbreak;\n \n #ifdef CONFIG_CIFS_DEBUG2\n-\t\t\tdump_ace(ppace[i], end_of_acl);\n+\t\t\tdump_ace(ppace[i], end_of_dacl);\n #endif\n \t\t\tif (mode_from_special_sid &&\n \t\t\t (compare_sids(&(ppace[i]->sid),\n@@ -870,6 +918,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,\n \t\t\t\t(void *)ppace[i],\n \t\t\t\tsizeof(struct smb_ace)); */\n \n+\t\t\tacl_base = (char *)ppace[i];\n \t\t\tacl_size = le16_to_cpu(ppace[i]->size);\n \t\t}\n \n@@ -1293,10 +1342,9 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd,\n \tdacloffset = le32_to_cpu(pntsd->dacloffset);\n \tif (dacloffset) {\n \t\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n-\t\tif (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {\n-\t\t\tcifs_dbg(VFS, \"Server returned illegal ACL size\\n\");\n-\t\t\treturn -EINVAL;\n-\t\t}\n+\t\trc = validate_dacl(dacl_ptr, end_of_acl);\n+\t\tif (rc)\n+\t\t\treturn rc;\n \t}\n \n \towner_sid_ptr = (struct smb_sid *)((char *)pntsd +\n@@ -1662,6 +1710,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,\n \t\tdacloffset = le32_to_cpu(pntsd->dacloffset);\n \t\tif (dacloffset) {\n \t\t\tdacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);\n+\t\t\trc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);\n+\t\t\tif (rc) {\n+\t\t\t\tkfree(pntsd);\n+\t\t\t\tcifs_put_tlink(tlink);\n+\t\t\t\treturn rc;\n+\t\t\t}\n \t\t\tif (mode_from_sid)\n \t\t\t\tnsecdesclen +=\n \t\t\t\t\tle16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);\n", "prefixes": [ "v2" ] }