On Mon, Sep 2, 2024 at 2:07 AM Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
Hi Greg,
> 5.15-stable review patch. If anyone has any objections, please let me know.
Please drop this patch.
I told you this patch was required for 6.1 kernel versions or later in
previous mail.
Thanks!
>
> ------------------
>
> From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
>
> [ Upstream commit ce61b605a00502c59311d0a4b1f58d62b48272d0 ]
>
> When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
> ->StructureSize is set to 9, which mean buffer has 1 byte.
> This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
> flex-array.
>
> Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
> Cc: stable@xxxxxxxxxxxxxxx # v6.1+
> Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> fs/ksmbd/smb2pdu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
> index 57f59172d8212..3458f2ae5cee4 100644
> --- a/fs/ksmbd/smb2pdu.c
> +++ b/fs/ksmbd/smb2pdu.c
> @@ -4160,7 +4160,8 @@ int smb2_query_dir(struct ksmbd_work *work)
> rsp->OutputBufferLength = cpu_to_le32(0);
> rsp->Buffer[0] = 0;
> rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
> - sizeof(struct smb2_query_directory_rsp));
> + offsetof(struct smb2_query_directory_rsp, Buffer)
> + + 1);
> if (rc)
> goto err_out;
> } else {
> --
> 2.43.0
>
>
>
