Patch "ksmbd: avoid field overflow warning" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Jul 2023 02:21:22 -0400

This is a note to let you know that I've just added the patch titled

    ksmbd: avoid field overflow warning

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ksmbd-avoid-field-overflow-warning.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 57d7c3677108aaa9f8558d260fe6eb187c0a9a9f
Author: Arnd Bergmann <arnd@xxxxxxxx>
Date:   Mon Jun 19 10:19:38 2023 +0200

    ksmbd: avoid field overflow warning
    
    [ Upstream commit 9cedc58bdbe9fff9aacd0ca19ee5777659f28fd7 ]
    
    clang warns about a possible field overflow in a memcpy:
    
    In file included from fs/smb/server/smb_common.c:7:
    include/linux/fortify-string.h:583:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning]
                            __write_overflow_field(p_size_field, size);
    
    It appears to interpret the "&out[baselen + 4]" as referring to a single
    byte of the character array, while the equivalen "out + baselen + 4" is
    seen as an offset into the array.
    
    I don't see that kind of warning elsewhere, so just go with the simple
    rework.
    
    Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
    Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
    Acked-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
    Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c
index f034b75c6d7f4..af583e4266215 100644
--- a/fs/ksmbd/smb_common.c
+++ b/fs/ksmbd/smb_common.c
@@ -423,7 +423,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname,
 	out[baselen + 3] = PERIOD;
 
 	if (dot_present)
-		memcpy(&out[baselen + 4], extension, 4);
+		memcpy(out + baselen + 4, extension, 4);
 	else
 		out[baselen + 4] = '\0';
 	smbConvertToUTF16((__le16 *)shortname, out, PATH_MAX,






