diff options
| author | Nicholas Carlini <nicholas@carlini.com> | 2026-02-19 20:58:57 +0900 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2026-02-22 21:27:33 -0600 |
| commit | 6b4f875aac344cdd52a1f34cc70ed2f874a65757 (patch) | |
| tree | bb51e04ec7c9d3a768a0539fd48c14c051a05e7f /tools/testing/selftests/exec | |
| parent | c5794709bc9105935dbedef8b9cf9c06f2b559fa (diff) | |
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
smb_direct_prepare_negotiation() casts an unsigned __u32 value
from sp->max_recv_size and req->preferred_send_size to a signed
int before computing min_t(int, ...). A maliciously provided
preferred_send_size of 0x80000000 will return as smaller than
max_recv_size, and then be used to set the maximum allowed
alowed receive size for the next message.
By sending a second message with a large value (>1420 bytes)
the attacker can then achieve a heap buffer overflow.
This fix replaces min_t(int, ...) with min_t(u32)
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'tools/testing/selftests/exec')
0 files changed, 0 insertions, 0 deletions