Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.
Product status
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before a02e432d5130da4c723aabe1205bac805889fdb2
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 2dc125f5da134c0915a840b62565c60a595673dd
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 898d527ed94c19980a4d848f10057f1fed578ffb
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 867ffd9d67285612da3f0498ca618297f8e41f01
0626e6641f6b467447c81dd7678a69c66f7746cf (git) before 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0
5.15
Any version before 5.15
6.1.158 (semver)
6.6.115 (semver)
6.12.56 (semver)
6.17.6 (semver)
6.18-rc4 (original_commit_for_fix)
References
git.kernel.org/...c/a02e432d5130da4c723aabe1205bac805889fdb2
git.kernel.org/...c/2dc125f5da134c0915a840b62565c60a595673dd
git.kernel.org/...c/898d527ed94c19980a4d848f10057f1fed578ffb
git.kernel.org/...c/867ffd9d67285612da3f0498ca618297f8e41f01
git.kernel.org/...c/6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0
