Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle

Next message: Dave Hansen: "Re: [PATCH 1/3] x86/boot: Fix page table access in 5-level to 4-level paging transition"
Previous message: Caleb Sander Mateos: "[PATCH 3/3] io_uring/uring_cmd: avoid double indirect call in task work dispatch"
In reply to: &#x304F;&#x3055;&#x3042;&#x3055;: "Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Namjae Jeon

Date: Wed Oct 22 2025 - 19:13:48 EST

On Wed, Oct 22, 2025 at 7:45 PM くさあさ <pioooooooooip@xxxxxxxxx> wrote:
>
> Hi Namjae, Steve,
Hi,
>
> Thanks for updating the patch. I’ve reviewed the changes and they look good to me.
Okay.
>
> Minor impact note: this patch prevents a 4-byte out-of-bounds read in ksmbd’s handle_response() when the declared Generic Netlink payload size is < 4.
> If a remote client can influence ksmbd.mountd to emit a truncated payload, this could be remotely triggerable (info-leak/DoS potential).
I don't understand how this is possible. Could you please explain it
to me via private email?
> If you consider this security-impacting, I’m happy to request a CVE via the kernel.org CNA.
>
> Thanks!!
> Qianchang Zhao