Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
ksmbd: fix O(N^2) DoS in smb2_lock via unbounded LockCount
smb2_lock() performs O(N^2) conflict detection with no cap on LockCount.
Cap lock_count at 64 to prevent CPU exhaustion from a single request.
Signed-off-by: Akif Sait <akif.sait111@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
authored by
Akif Sait
and committed by
Steve French
bd0a1ca5
b32c8db4
+6
-1
+6
-1
fs/smb/server/smb2pdu.c
+6
-1
fs/smb/server/smb2pdu.c
···
7491
7491
lock_ele = req->locks;
7492
7492
7493
7493
ksmbd_debug(SMB, "lock count is %d\n", lock_count);
7494
-
if (!lock_count) {
7494
+
/*
7495
+
* Cap lock_count at 64. The MS-SMB2 spec defines Open.LockSequenceArray
7496
+
* as exactly 64 entries so 64 is the intended ceiling. No real workload
7497
+
* comes close to this in a single request.
7498
+
*/
7499
+
if (!lock_count || lock_count > 64) {
7495
7500
err = -EINVAL;
7496
7501
goto out2;
7497
7502
}