smb: client: fix UBSAN array-index-out-of-bounds in smb2_copychunk_range

struct copychunk_ioctl_req::ChunkCount is annotated with __counted_by_le() as the number of elements in Chunks[]. smb2_copychunk_range reuses ChunkCount to store the number of chunks sent in the current iteration. If a later iteration populates more chunks than a previous one, the stale smaller value trips UBSAN. Set ChunkCount to chunk_count (allocated capacity) before populating Chunks[]. Fixes: cc26f593dc19 ("smb: move copychunk definitions to common/smb2pdu.h") Link: https://lore.kernel.org/linux-cifs/CAH2r5ms9AWLy8WZ04Cpq5XOeVK64tcrUQ6__iMW+yk1VPzo1BA@mail.gmail.com Tested-by: Youling Tang <tangyouling@kylinos.cn> Acked-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-01-12 01:20:14 +00:00 · 2025-12-29 14:49:43 -03:00 · 2025-12-29 14:49:43 -03:00 · fa2fd0b10f
commit fa2fd0b10f
parent bc31161162
1 changed files with 6 additions and 0 deletions
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@ -1905,6 +1905,12 @@ retry:
 		src_off_prev = src_off;
 		dst_off_prev = dst_off;

+		/*
+		 * __counted_by_le(ChunkCount): set to allocated chunks before
+		 * populating Chunks[]
+		 */
+		cc_req->ChunkCount = cpu_to_le32(chunk_count);
+
 		chunks = 0;
 		copy_bytes = 0;
 		copy_bytes_left = umin(total_bytes_left, tcon->max_bytes_copy);