This fixed the 'field spanning write' warnings for me. merged into ksmbd-for-next On Wed, Aug 14, 2024 at 6:56 PM Namjae Jeon <linkinjeon@xxxxxxxxxx> wrote: > > rsp buffer is allocatged larger than spnego_blob from > smb2_allocate_rsp_buf(). > > Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> > --- > fs/smb/server/smb2pdu.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c > index 2df1354288e6..3f4c56a10a86 100644 > --- a/fs/smb/server/smb2pdu.c > +++ b/fs/smb/server/smb2pdu.c > @@ -1370,7 +1370,8 @@ static int ntlm_negotiate(struct ksmbd_work *work, > } > > sz = le16_to_cpu(rsp->SecurityBufferOffset); > - memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); > + unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len, > + /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); > rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); > > out: > @@ -1453,7 +1454,9 @@ static int ntlm_authenticate(struct ksmbd_work *work, > return -ENOMEM; > > sz = le16_to_cpu(rsp->SecurityBufferOffset); > - memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, spnego_blob_len); > + unsafe_memcpy((char *)&rsp->hdr.ProtocolId + sz, spnego_blob, > + spnego_blob_len, > + /* alloc is larger than blob, see smb2_allocate_rsp_buf() */); > rsp->SecurityBufferLength = cpu_to_le16(spnego_blob_len); > kfree(spnego_blob); > } > -- > 2.25.1 > -- Thanks, Steve
