diff options
| author |   Tristan Madani <tristan@talencesecurity.com> | 2026-04-17 19:54:57 +0000 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-27 07:30:18 -0600 |
| commit | ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7 (patch) | |
| tree | f4711bb8c63a04486c7d07939a3f18d5de33477f /include/linux/ceph/ssh:/git@git.zx2c4.com | |
| parent | ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment (diff) | |
ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
commit 299f962c0b02d048fb45d248b4da493d03f3175d upstream.
set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes
in u16 variables. When a file has many POSIX ACL entries, the
accumulated size can wrap past 65535, causing the pointer arithmetic
(char *)pndace + *size to land within already-written ACEs. Subsequent
writes then overwrite earlier entries, and pndacl->size gets a
truncated value.
Use check_add_overflow() at each accumulation point to detect the
wrap before it corrupts the buffer, consistent with existing
check_mul_overflow() usage elsewhere in smbacl.c.
Cc: stable@vger.kernel.org
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux/ceph/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions