On Wed, Jan 03, 2024 at 09:29:16AM +0900, Namjae Jeon wrote: > From: Namjae Jeon <linkinjeon@xxxxxxxxxx> > > [ Upstream commit d10c77873ba1e9e6b91905018e29e196fd5f863d ] > > If ->NameOffset/Length is bigger than ->CreateContextsOffset/Length, > ksmbd_check_message doesn't validate request buffer it correctly. > So slab-out-of-bounds warning from calling smb_strndup_from_utf16() > in smb2_open() could happen. If ->NameLength is non-zero, Set the larger > of the two sums (Name and CreateContext size) as the offset and length of > the data area. > > Reported-by: Yang Chaoming <lometsj@xxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx> > Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> > --- > fs/ksmbd/smb2misc.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) Now queued up, thanks. greg k-h