Commit 6f40e50c authored Oct 22, 2025 by Qianchang Zhao Committed by Steve French Oct 26, 2025

ksmbd: transport_ipc: validate payload size before reading handle



handle_response() dereferences the payload as a 4-byte handle without
verifying that the declared payload size is at least 4 bytes. A malformed
or truncated message from ksmbd.mountd can lead to a 4-byte read past the
declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent dcb6fa37

fs/smb/server/transport_ipc.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -263,10 +263,16 @@ static void ipc_msg_handle_free(int handle)

		static int handle_response(int type, void *payload, size_t sz)
		{
		unsigned int handle = (unsigned int )payload;
		unsigned int handle;
		struct ipc_msg_table_entry *entry;
		int ret = 0;

		/* Prevent 4-byte read beyond declared payload size */
		if (sz < sizeof(unsigned int))
		return -EINVAL;

		handle = (unsigned int )payload;

		ipc_update_last_active();
		down_read(&ipc_msg_table_lock);
		hash_for_each_possible(ipc_msg_table, entry, ipc_table_hlist, handle) {