tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master head: 2e93f143ca010a5013528e1cfdc895f024fe8c21 commit: eb143b7ceab55d75f33833f9289f7194ed9c4f73 [13671/13793] ksmbd: fix potencial out-of-bounds when buffer offset is invalid config: i386-randconfig-r122-20240318 (https://download.01.org/0day-ci/archive/20240319/202403190118.CmBL5MpO-lkp@xxxxxxxxx/config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240319/202403190118.CmBL5MpO-lkp@xxxxxxxxx/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-kbuild-all/202403190118.CmBL5MpO-lkp@xxxxxxxxx/ sparse warnings: (new ones prefixed by >>) >> fs/smb/server/smb2pdu.c:7821:40: sparse: sparse: cast to restricted __le16 >> fs/smb/server/smb2pdu.c:7821:40: sparse: sparse: cast from restricted __le32 fs/smb/server/smb2pdu.c:7957:32: sparse: sparse: cast to restricted __le16 fs/smb/server/smb2pdu.c:7957:32: sparse: sparse: cast from restricted __le32 vim +7821 fs/smb/server/smb2pdu.c 7814 7815 static int fsctl_pipe_transceive(struct ksmbd_work *work, u64 id, 7816 unsigned int out_buf_len, 7817 struct smb2_ioctl_req *req, 7818 struct smb2_ioctl_rsp *rsp) 7819 { 7820 struct ksmbd_rpc_command *rpc_resp; > 7821 char *data_buf = (char *)req + le16_to_cpu(req->InputOffset); 7822 int nbytes = 0; 7823 7824 rpc_resp = ksmbd_rpc_ioctl(work->sess, id, data_buf, 7825 le32_to_cpu(req->InputCount)); 7826 if (rpc_resp) { 7827 if (rpc_resp->flags == KSMBD_RPC_SOME_NOT_MAPPED) { 7828 /* 7829 * set STATUS_SOME_NOT_MAPPED response 7830 * for unknown domain sid. 7831 */ 7832 rsp->hdr.Status = STATUS_SOME_NOT_MAPPED; 7833 } else if (rpc_resp->flags == KSMBD_RPC_ENOTIMPLEMENTED) { 7834 rsp->hdr.Status = STATUS_NOT_SUPPORTED; 7835 goto out; 7836 } else if (rpc_resp->flags != KSMBD_RPC_OK) { 7837 rsp->hdr.Status = STATUS_INVALID_PARAMETER; 7838 goto out; 7839 } 7840 7841 nbytes = rpc_resp->payload_sz; 7842 if (rpc_resp->payload_sz > out_buf_len) { 7843 rsp->hdr.Status = STATUS_BUFFER_OVERFLOW; 7844 nbytes = out_buf_len; 7845 } 7846 7847 if (!rpc_resp->payload_sz) { 7848 rsp->hdr.Status = 7849 STATUS_UNEXPECTED_IO_ERROR; 7850 goto out; 7851 } 7852 7853 memcpy((char *)rsp->Buffer, rpc_resp->payload, nbytes); 7854 } 7855 out: 7856 kvfree(rpc_resp); 7857 return nbytes; 7858 } 7859 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
