From: Michael Bommarito <michael.bommarito@gmail.com>
To: Namjae Jeon <linkinjeon@kernel.org>
Cc: linux-cifs@vger.kernel.org, Steve French <smfrench@gmail.com>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Tom Talpey <tom@talpey.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/3] ksmbd: cap response sizes in ipc_validate_msg()
Date: Tue, 14 Apr 2026 22:35:10 -0400 [thread overview]
Message-ID: <20260415023510.2659606-1-michael.bommarito@gmail.com> (raw)
In-Reply-To: <CAKYAXd-zwPuES8PdV+XQjuQUemVKejayqY_0aYS=88uZ=FG9+w@mail.gmail.com>
On Wed, Apr 15, 2026 at 11:00:58AM +0900, Namjae Jeon wrote:
> However, on the userspace side (ksmbd-tools/mountd/rpc.c), the DCE/RPC
> response builder (try_realloc_payload() and ndr_write_bytes())
> dynamically grows the payload by 4096 bytes using g_try_realloc() when
> preparing responses for calls such as NetShareEnumAll, etc..
> This can cause share enumeration failures on servers with many shares.
OK, thanks for explaining. Sorry for missing that context. If you
are OK with it, I will send a v2 that drops the cap on RPC_REQUEST
and SHARE_CONFIG_REQUEST and uses check_add_overflow() to just
prevent msg_sz from wrapping. The [0, NGROUPS_MAX] bound stays on
LOGIN_REQUEST_EXT.
> You don't add the check for KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST case.
> We don't need to check resp->session_key_len and resp->spnego_blob_len?
They're both __u16 so the sum can't wrap the unsigned int msg_sz,
which is why I skipped them. Happy to add check_add_overflow() there
too for symmetry and clarity in case anyone refactors. Just let me
know which you prefer.
Thanks,
Mike
next prev parent reply other threads:[~2026-04-15 2:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:15 [PATCH 0/3] ksmbd: harden IPC response arithmetic and ACE walk Michael Bommarito
2026-04-14 19:15 ` [PATCH 1/3] ksmbd: cap response sizes in ipc_validate_msg() Michael Bommarito
2026-04-15 2:00 ` Namjae Jeon
2026-04-15 2:35 ` Michael Bommarito [this message]
2026-04-15 4:22 ` Namjae Jeon
2026-04-14 19:15 ` [PATCH 2/3] ksmbd: reject negative ngroups in ksmbd_alloc_user() Michael Bommarito
2026-04-15 2:05 ` Namjae Jeon
2026-04-15 2:35 ` Michael Bommarito
2026-04-15 4:31 ` Namjae Jeon
2026-04-14 19:15 ` [PATCH 3/3] ksmbd: require minimum ACE size in smb_check_perm_dacl() Michael Bommarito
2026-04-15 11:24 ` [PATCH v2 0/2] ksmbd: harden ipc_validate_msg() and smb_check_perm_dacl() Michael Bommarito
2026-04-15 11:25 ` [PATCH v2 1/2] ksmbd: validate response sizes in ipc_validate_msg() Michael Bommarito
2026-04-15 11:25 ` [PATCH v2 2/2] ksmbd: require minimum ACE size in smb_check_perm_dacl() Michael Bommarito
2026-04-16 0:07 ` [PATCH v2 0/2] ksmbd: harden ipc_validate_msg() and smb_check_perm_dacl() Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415023510.2659606-1-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=senozhatsky@chromium.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox