smb/client: fix possible infinite loop and oob read in symlink_data()

Ye Bin · gregkh · commit cd4b9b662f0f · 2026-05-23T13:04:59.000+02:00
commit 7d9a7f1 upstream. On 32-bit architectures, the infinite loop is as follows: len = p->ErrorDataLength == 0xfffffff8 u8 *next = p->ErrorContextData + len next == p On 32-bit architectures, the out-of-bounds read is as follows: len = p->ErrorDataLength == 0xfffffff0 u8 *next = p->ErrorContextData + len next == (u8 *)p - 8 Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Fixes: 76894f3 ("cifs: improve symlink handling for smb2+") Cc: stable@vger.kernel.org Signed-off-by: Ye Bin <yebin10@huawei.com> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c
@@ -49,6 +49,9 @@ static struct smb2_symlink_err_rsp *symlink_data(const struct kvec *iov)
 				 __func__, le32_to_cpu(p->ErrorId));
 
 			len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);
+			if (len > end - ((u8 *)p + sizeof(*p)))
+				return ERR_PTR(-EINVAL);
+
 			p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);
 		}
 	} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,9 @@ static struct smb2_symlink_err_rsp symlink_data(const struct kvec iov)`
`49`	`49`	`__func__, le32_to_cpu(p->ErrorId));`
`50`	`50`
`51`	`51`	`len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8);`
	`52`	`+ if (len > end - ((u8 )p + sizeof(p)))`
	`53`	`+ return ERR_PTR(-EINVAL);`
	`54`	`+`
`52`	`55`	`p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len);`
`53`	`56`	`}`
`54`	`57`	`} else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&`