tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

- Three fixes for potential out of bound accesses in read and write
paths (e.g. when alternate data streams enabled)

- GCC 15 build fix

* tag 'v6.13-rc1-ksmbd-server-fixes' of git://git.samba.org/ksmbd:
ksmbd: align aux_payload_buf to avoid OOB reads in cryptographic operations
ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
smb: server: Fix building with GCC 15

Linus Torvalds f65289a8 896d8946

+9 -3
+7 -1
fs/smb/server/smb2pdu.c
··· 6663 6663 } 6664 6664 6665 6665 offset = le64_to_cpu(req->Offset); 6666 + if (offset < 0) { 6667 + err = -EINVAL; 6668 + goto out; 6669 + } 6666 6670 length = le32_to_cpu(req->Length); 6667 6671 mincount = le32_to_cpu(req->MinimumCount); 6668 6672 ··· 6680 6676 ksmbd_debug(SMB, "filename %pD, offset %lld, len %zu\n", 6681 6677 fp->filp, offset, length); 6682 6678 6683 - aux_payload_buf = kvzalloc(length, KSMBD_DEFAULT_GFP); 6679 + aux_payload_buf = kvzalloc(ALIGN(length, 8), KSMBD_DEFAULT_GFP); 6684 6680 if (!aux_payload_buf) { 6685 6681 err = -ENOMEM; 6686 6682 goto out; ··· 6882 6878 } 6883 6879 6884 6880 offset = le64_to_cpu(req->Offset); 6881 + if (offset < 0) 6882 + return -EINVAL; 6885 6883 length = le32_to_cpu(req->Length); 6886 6884 6887 6885 if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||
+2 -2
fs/smb/server/smb_common.c
··· 18 18 #include "mgmt/share_config.h" 19 19 20 20 /*for shortname implementation */ 21 - static const char basechars[43] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; 22 - #define MANGLE_BASE (sizeof(basechars) / sizeof(char) - 1) 21 + static const char *basechars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%"; 22 + #define MANGLE_BASE (strlen(basechars) - 1) 23 23 #define MAGIC_CHAR '~' 24 24 #define PERIOD '.' 25 25 #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE]))