Commit a58c5af1 authored Apr 19, 2026 by Michael Bommarito Committed by Steve French Apr 22, 2026

smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path



smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path.  The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.

A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.

Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload.  Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.

Fixes: f5778c39 ("SMB3: Allow SMB3 FSCTL queries to be sent to server from tools")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 90ea1d02

fs/smb/client/smb2ops.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1783,6 +1783,12 @@ smb2_ioctl_query_info(const unsigned int xid,
		qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
		if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length)
		qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
		if (qi.input_buffer_length > 0 &&
		struct_size(qi_rsp, Buffer, qi.input_buffer_length) >
		rsp_iov[1].iov_len) {
		rc = -EFAULT;
		goto out;
		}
		if (copy_to_user(&pqi->input_buffer_length,
		&qi.input_buffer_length,
		sizeof(qi.input_buffer_length))) {