Commit 7d9a7f1f authored May 14, 2026 by Ye Bin Committed by Steve French May 14, 2026

smb/client: fix possible infinite loop and oob read in symlink_data()



On 32-bit architectures, the infinite loop is as follows:

  len = p->ErrorDataLength == 0xfffffff8
  u8 *next = p->ErrorContextData + len
  next == p

On 32-bit architectures, the out-of-bounds read is as follows:

  len = p->ErrorDataLength == 0xfffffff0
  u8 *next = p->ErrorContextData + len
  next == (u8 *)p - 8

Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Fixes: 76894f3e ("cifs: improve symlink handling for smb2+")
Cc: stable@vger.kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 603ab5ea

fs/smb/client/smb2file.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -49,6 +49,9 @@ static struct smb2_symlink_err_rsp symlink_data(const struct kvec iov)
		__func__, le32_to_cpu(p->ErrorId));

		len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
		if (len > end - ((u8 )p + sizeof(p)))
		return ERR_PTR(-EINVAL);

		p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
		}
		} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&