Hello,
I am sending this patch for inclusion in the stable tree, as it fixes a critical stack-out-of-bounds bug in the cifs module related to the `smb2_set_next_command()` function.
Problem Summary: A problem was observed in the `statfs` system call for cifs, where it failed with a "Resource temporarily unavailable" message. Further investigation with KASAN revealed a stack-out-of-bounds error. The root cause was a miscalculation of the size of the `smb2_query_info_req` structure in the `SMB2_query_info_init()` function.
This situation arose due to a dependency on a prior commit (`eb3e28c1e89b`) that replaced a 1-element array with a flexible array member in the `smb2_query_info_req` structure. This commit was not backported to the 5.10.y and 5.15.y stable branch, leading to an incorrect size calculation after the backport of commit `33eae65c6f49`.
Fix Details: The patch corrects the size calculation to ensure the correct length is used when initializing the `smb2_query_info_req` structure. It has been tested and confirmed to resolve the issue without introducing any regressions.
Maybe the prior commit eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") should be backported to solve this problem directly. The patch does not seem to conflict.
Best regards, ZhaoLong Wang
ZhaoLong Wang (1): cifs: Fix stack-out-of-bounds in smb2_set_next_command()
fs/cifs/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)