[PATCH AUTOSEL 6.17-6.1] smb: fix invalid username check in smb3_fs_context_parse

Linux CIFS filesystem development
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 6.17-6.1] smb: fix invalid username check in smb3_fs_context_parse_param()
       [not found] <20251120120838.1754634-1-sashal@kernel.org>
@ 2025-11-20 12:08 ` Sasha Levin
  0 siblings, 0 replies; only message in thread
From: Sasha Levin @ 2025-11-20 12:08 UTC (permalink / raw)
  To: patches, stable
  Cc: Yiqi Sun, Steve French, Sasha Levin, sfrench, linux-cifs,
	samba-technical

From: Yiqi Sun <sunyiqixm@gmail.com>

[ Upstream commit ed6612165b74f09db00ef0abaf9831895ab28b7f ]

Since the maximum return value of strnlen(..., CIFS_MAX_USERNAME_LEN)
is CIFS_MAX_USERNAME_LEN, length check in smb3_fs_context_parse_param()
is always FALSE and invalid.

Fix the comparison in if statement.

Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

## CONCLUSION

This commit fixes a **5-year-old logic error** in SMB/CIFS username
validation that has existed since the mount API refactoring in v5.11
(December 2020). The bug is a classic off-by-one comparison error where
`strnlen(..., 256) > 256` is always false because strnlen returns at
most 256.

**The bug causes:**
- **Validation bypass** allowing usernames longer than 256 characters
- **Memory waste** through unnecessary kernel allocations
- **Authentication failures** with confusing error messages when
  truncated usernames are sent to servers
- **Protocol non-compliance** with SMB username length limits

**The fix is trivial:**
- Changes one character: `>` becomes `==`
- Brings username validation in line with domain name validation (same
  file, line 1509)
- Zero risk of regression (only makes validation stricter)

**Evidence supporting backport:**
- **Already backported** to 7+ stable trees (6.12.y, 6.11.y, 6.6.y,
  6.1.y, 5.15.y, 5.10.y, 5.4.y)
- **Obviously correct** - single-character fix that matches the pattern
  used elsewhere
- **Small and contained** - one line in one file
- **Fixes real user issues** - authentication failures with long
  usernames
- **Long-standing bug** - affects all kernels from v5.11 to present

This is a **textbook example** of an appropriate stable kernel backport:
small, surgical, obviously correct, fixes a real bug, and carries no
regression risk.

**YES**

 fs/smb/client/fs_context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index 072383899e817..8470ecd6f8924 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1470,7 +1470,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
 			break;
 		}
 
-		if (strnlen(param->string, CIFS_MAX_USERNAME_LEN) >
+		if (strnlen(param->string, CIFS_MAX_USERNAME_LEN) ==
 		    CIFS_MAX_USERNAME_LEN) {
 			pr_warn("username too long\n");
 			goto cifs_parse_mount_err;
-- 
2.51.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2025-11-20 12:09 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20251120120838.1754634-1-sashal@kernel.org>
2025-11-20 12:08 ` [PATCH AUTOSEL 6.17-6.1] smb: fix invalid username check in smb3_fs_context_parse_param() Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox