Hi Jan,
Thanks for the report.
So this bug is related to an off-by-one in smb2_set_next_command() when
the client attempts to pad SMB2_QUERY_INFO request -- since it isn't 8 byte
aligned -- even though smb2_query_info_compound() doesn't provide an extra
iov for such padding.
v6.1.y doesn't have
eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
and the commit does
+ if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
+ len > CIFSMaxBufSize))
+ return -EINVAL;
+
so sizeof(*req) will wrongly include the extra byte from
smb2_query_info_req::Buffer making @len unaligned and therefore causing
OOB in smb2_set_next_command().
A simple fix for that would be
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 05ff8a457a3d..aed5067661de 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3556,7 +3556,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
iov[0].iov_base = (char *)req;
/* 1 for Buffer */
- iov[0].iov_len = len;
+ iov[0].iov_len = len - 1;
return 0;
}
