* [PATCH] smb: client: fix wrong index reference in smb2_compound_op()
@ 2025-09-23 8:16 Sang-Heon Jeon
2025-09-23 16:16 ` Paulo Alcantara
0 siblings, 1 reply; 2+ messages in thread
From: Sang-Heon Jeon @ 2025-09-23 8:16 UTC (permalink / raw)
To: sfrench, pc; +Cc: linux-cifs, Sang-Heon Jeon
In smb2_compound_op(), the loop that processes each command's response
uses wrong indices when accessing response bufferes.
This incorrect indexing leads to improper handling of command results.
Also, if incorrectly computed index is greather than or equal to
MAX_COMPOUND, it can cause out-of-bounds accesses.
Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
---
I was unable to reproduce this issue in my environment, but the code
flow clearly looks like typo error. I have not added stable cc-ing yet,
leaving it to the reviewers' judgment, but IMHO i think it should be needed.
I would be happy to help with testing if anyone can provide reproduction
steps or additional help on triggering this code path. Always thanks for
your consideration.
---
fs/smb/client/smb2inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index e32a3f338793..0985db9f86e5 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -687,7 +687,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon,
}
for (i = 0; i < num_cmds; i++) {
- char *buf = rsp_iov[i + i].iov_base;
+ char *buf = rsp_iov[i + 1].iov_base;
if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER)
rc = server->ops->map_error(buf, false);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] smb: client: fix wrong index reference in smb2_compound_op()
2025-09-23 8:16 [PATCH] smb: client: fix wrong index reference in smb2_compound_op() Sang-Heon Jeon
@ 2025-09-23 16:16 ` Paulo Alcantara
0 siblings, 0 replies; 2+ messages in thread
From: Paulo Alcantara @ 2025-09-23 16:16 UTC (permalink / raw)
To: Sang-Heon Jeon, sfrench; +Cc: linux-cifs, Sang-Heon Jeon
Sang-Heon Jeon <ekffu200098@gmail.com> writes:
> In smb2_compound_op(), the loop that processes each command's response
> uses wrong indices when accessing response bufferes.
>
> This incorrect indexing leads to improper handling of command results.
> Also, if incorrectly computed index is greather than or equal to
> MAX_COMPOUND, it can cause out-of-bounds accesses.
>
> Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
> Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
> ---
> I was unable to reproduce this issue in my environment, but the code
> flow clearly looks like typo error. I have not added stable cc-ing yet,
> leaving it to the reviewers' judgment, but IMHO i think it should be needed.
>
> I would be happy to help with testing if anyone can provide reproduction
> steps or additional help on triggering this code path. Always thanks for
> your consideration.
> ---
> fs/smb/client/smb2inode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Nice catch!
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-23 16:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-23 8:16 [PATCH] smb: client: fix wrong index reference in smb2_compound_op() Sang-Heon Jeon
2025-09-23 16:16 ` Paulo Alcantara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox