smb/client: fix possible infinite loop and oob read in symlink_data() - kernel/linux.git

diff options

author	Ye Bin <yebin10@huawei.com>	2026-05-14 16:14:18 +0300
committer	Steve French <stfrench@microsoft.com>	2026-05-14 17:40:17 +0300
commit	7d9a7f1f96cd617ee9e75bb22217c709038e26b8 (patch)
tree	cb5305e6305afc4c9f33b7d3422206166b53376f /drivers/gpu/tests/git@radix-linux.su:pub
parent	603ab5ea6482c723216b59cb733e8ba248619ee9 (diff)
download	linux-7d9a7f1f96cd617ee9e75bb22217c709038e26b8.tar.xz

smb/client: fix possible infinite loop and oob read in symlink_data()

On 32-bit architectures, the infinite loop is as follows: len = p->ErrorDataLength == 0xfffffff8 u8 *next = p->ErrorContextData + len next == p On 32-bit architectures, the out-of-bounds read is as follows: len = p->ErrorDataLength == 0xfffffff0 u8 *next = p->ErrorContextData + len next == (u8 *)p - 8 Reported-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") Cc: stable@vger.kernel.org Signed-off-by: Ye Bin <yebin10@huawei.com> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Steve French <stfrench@microsoft.com>

Diffstat (limited to 'drivers/gpu/tests/git@radix-linux.su:pub')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: