summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZihan Xi <xizh2024@lzu.edu.cn>2026-06-28 17:19:24 +0800
committerSteve French <stfrench@microsoft.com>2026-07-01 20:19:15 -0500
commit7ad2bcf2441430bb2e918fb3ef9a90d775a6e422 (patch)
treea4c9a6f6974b22a8c5febb2384120b3cb8af2ce3
parentdc59e4fea9d83f03bad6bddf3fa2e52491777482 (diff)
downloadlinux-2.6-7ad2bcf2441430bb2e918fb3ef9a90d775a6e422.tar.gz
linux-2.6-7ad2bcf2441430bb2e918fb3ef9a90d775a6e422.zip
smb: client: harden POSIX SID length parsing
posix_info_sid_size() reads sid[1] to obtain the subauthority count, but its existing boundary check still accepts buffers with only one remaining byte. Require two bytes before reading sid[1] so all client paths that reuse the helper reject truncated POSIX SIDs safely. Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:gpt-5.4 Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
-rw-r--r--fs/smb/client/smb2pdu.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index d058584b8f05..77738900e75e 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5405,7 +5405,7 @@ int posix_info_sid_size(const void *beg, const void *end)
size_t subauth;
int total;
- if (beg + 1 > end)
+ if (beg + 2 > end)
return -1;
subauth = *(u8 *)(beg+1);