ksmbd: the buffer of smb2 query dir response has at least 1 byte

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
->StructureSize is set to 9, which mean buffer has 1 byte.
This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
flex-array.

Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
Cc: stable@vger.kernel.org # v6.1+
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Namjae Jeon and committed by

Steve French 2 years ago ce61b605 b311c1b4

+2 -1

1 changed file

expand all

smb

server

smb2pdu.c

+2 -1

fs/smb/server/smb2pdu.c

··· 4409 4409 rsp->OutputBufferLength = cpu_to_le32(0); 4410 4410 rsp->Buffer[0] = 0; 4411 4411 rc = ksmbd_iov_pin_rsp(work, (void *)rsp, 4412 - sizeof(struct smb2_query_directory_rsp)); 4412 + offsetof(struct smb2_query_directory_rsp, Buffer) 4413 + + 1); 4413 4414 if (rc) 4414 4415 goto err_out; 4415 4416 } else {

Configure Feed

Configure Feed