This is a note to let you know that I've just added the patch titled smb: client: fix OOB in receive_encrypted_standard() to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: smb-client-fix-oob-in-receive_encrypted_standard.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From eec04ea119691e65227a97ce53c0da6b9b74b0b7 Mon Sep 17 00:00:00 2001 From: Paulo Alcantara <pc@xxxxxxxxxxxxx> Date: Mon, 11 Dec 2023 10:26:40 -0300 Subject: smb: client: fix OOB in receive_encrypted_standard() From: Paulo Alcantara <pc@xxxxxxxxxxxxx> commit eec04ea119691e65227a97ce53c0da6b9b74b0b7 upstream. Fix potential OOB in receive_encrypted_standard() if server returned a large shdr->NextCommand that would end up writing off the end of @next_buffer. Fixes: b24df3e30cbf ("cifs: update receive_encrypted_standard to handle compounded responses") Cc: stable@xxxxxxxxxxxxxxx Reported-by: Robert Morris <rtm@xxxxxxxxxxxxx> Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/smb/client/smb2ops.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4941,6 +4941,7 @@ receive_encrypted_standard(struct TCP_Se struct smb2_hdr *shdr; unsigned int pdu_length = server->pdu_size; unsigned int buf_size; + unsigned int next_cmd; struct mid_q_entry *mid_entry; int next_is_large; char *next_buffer = NULL; @@ -4969,14 +4970,15 @@ receive_encrypted_standard(struct TCP_Se next_is_large = server->large_buf; one_more: shdr = (struct smb2_hdr *)buf; - if (shdr->NextCommand) { + next_cmd = le32_to_cpu(shdr->NextCommand); + if (next_cmd) { + if (WARN_ON_ONCE(next_cmd > pdu_length)) + return -1; if (next_is_large) next_buffer = (char *)cifs_buf_get(); else next_buffer = (char *)cifs_small_buf_get(); - memcpy(next_buffer, - buf + le32_to_cpu(shdr->NextCommand), - pdu_length - le32_to_cpu(shdr->NextCommand)); + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); } mid_entry = smb2_find_mid(server, buf); @@ -5000,8 +5002,8 @@ one_more: else ret = cifs_handle_standard(server, mid_entry); - if (ret == 0 && shdr->NextCommand) { - pdu_length -= le32_to_cpu(shdr->NextCommand); + if (ret == 0 && next_cmd) { + pdu_length -= next_cmd; server->large_buf = next_is_large; if (next_is_large) server->bigbuf = buf = next_buffer; Patches currently in stable-queue which might be from pc@xxxxxxxxxxxxx are queue-6.6/smb-client-introduce-parse_reparse_point.patch queue-6.6/ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch queue-6.6/smb-client-fix-oob-in-smb2_query_reparse_point.patch queue-6.6/smb-client-fix-null-deref-in-asn1_ber_decoder.patch queue-6.6/smb-client-fix-potential-oobs-in-smb2_parse_contexts.patch queue-6.6/smb-client-set-correct-file-type-from-nfs-reparse-po.patch queue-6.6/smb-client-implement-query_reparse_point-for-smb1.patch queue-6.6/smb-client-fix-oob-in-receive_encrypted_standard.patch