Commit 30010c95 authored Apr 17, 2026 by Tristan Madani Committed by Steve French Apr 18, 2026

ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment



smb2_get_ea() applies 4-byte alignment padding via memset() after
writing each EA entry. The bounds check on buf_free_len is performed
before the value memcpy, but the alignment memset fires unconditionally
afterward with no check on remaining space.

When the EA value exactly fills the remaining buffer (buf_free_len == 0
after value subtraction), the alignment memset writes 1-3 NUL bytes
past the buf_free_len boundary. In compound requests where the response
buffer is shared across commands, the first command (e.g., READ) can
consume most of the buffer, leaving a tight remainder for the QUERY_INFO
EA response. The alignment memset then overwrites past the physical
kvmalloc allocation into adjacent kernel heap memory.

Add a bounds check before the alignment memset to ensure buf_free_len
can accommodate the padding bytes.

This is the same bug pattern fixed by commit beef2634 ("ksmbd: fix
potencial OOB in get_file_all_info() for compound requests") and
commit fda9522e ("ksmbd: fix OOB write in QUERY_INFO for compound
requests"), both of which added bounds checks before unconditional
writes in QUERY_INFO response handlers.

Cc: stable@vger.kernel.org
Fixes: e2b76ab8 ("ksmbd: add support for read compound")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 299f962c

fs/smb/server/smb2pdu.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -4818,6 +4818,8 @@ static int smb2_get_ea(struct ksmbd_work work, struct ksmbd_file fp,
		/* align next xattr entry at 4 byte bundary */
		alignment_bytes = ((next_offset + 3) & ~3) - next_offset;
		if (alignment_bytes) {
		if (buf_free_len < alignment_bytes)
		break;
		memset(ptr, '\0', alignment_bytes);
		ptr += alignment_bytes;
		next_offset += alignment_bytes;