Re: [PATCH] ksmbd: transport_ipc: validate payload size before reading handle

On Tue, Oct 21, 2025 at 11:55 PM Qianchang Zhao pioooooooooip@gmail.com wrote:

handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org Reported-by: Qianchang Zhao pioooooooooip@gmail.com Signed-off-by: Qianchang Zhao pioooooooooip@gmail.com

I have directly updated your patch. Can you check the attached patch ? Thanks!