ksmbd: use check_add_overflow() to prevent u16 DACL size overflow - kernel/linux.git

diff options

author	Tristan Madani <tristan@talencesecurity.com>	2026-04-17 22:54:57 +0300
committer	Steve French <stfrench@microsoft.com>	2026-04-18 20:19:59 +0300
commit	299f962c0b02d048fb45d248b4da493d03f3175d (patch)
tree	4ef209ef74f943ec85b441dee3feeb27b92393b4 /include/linux/debugobjects.h
parent	1baff47b81f94f9231c91236aa511420d0e266b9 (diff)
download	linux-299f962c0b02d048fb45d248b4da493d03f3175d.tar.xz

ksmbd: use check_add_overflow() to prevent u16 DACL size overflow

set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char *)pndace + *size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c. Cc: stable@vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>

Diffstat (limited to 'include/linux/debugobjects.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: