Commit fa2fd0b1 authored Dec 29, 2025 by Henrique Carvalho Committed by Steve French Dec 30, 2025

smb: client: fix UBSAN array-index-out-of-bounds in smb2_copychunk_range

struct copychunk_ioctl_req::ChunkCount is annotated with
__counted_by_le() as the number of elements in Chunks[].

smb2_copychunk_range reuses ChunkCount to store the number of chunks
sent in the current iteration. If a later iteration populates more
chunks than a previous one, the stale smaller value trips UBSAN.

Set ChunkCount to chunk_count (allocated capacity) before populating
Chunks[].

Fixes: cc26f593 ("smb: move copychunk definitions to common/smb2pdu.h")
Link: https://lore.kernel.org/linux-cifs/CAH2r5ms9AWLy8WZ04Cpq5XOeVK64tcrUQ6__iMW+yk1VPzo1BA@mail.gmail.com


Tested-by: Youling Tang <tangyouling@kylinos.cn>
Acked-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent bc311611

fs/smb/client/smb2ops.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1905,6 +1905,12 @@ smb2_copychunk_range(const unsigned int xid,
		src_off_prev = src_off;
		dst_off_prev = dst_off;

		/*
		* __counted_by_le(ChunkCount): set to allocated chunks before
		* populating Chunks[]
		*/
		cc_req->ChunkCount = cpu_to_le32(chunk_count);

		chunks = 0;
		copy_bytes = 0;
		copy_bytes_left = umin(total_bytes_left, tcon->max_bytes_copy);