CVE-2026-31707

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: validate response sizes in ipc_validate_msg()<br /> <br /> ipc_validate_msg() computes the expected message size for each<br /> response type by adding (or multiplying) attacker-controlled fields<br /> from the daemon response to a fixed struct size in unsigned int<br /> arithmetic. Three cases can overflow:<br /> <br /> KSMBD_EVENT_RPC_REQUEST:<br /> msg_sz = sizeof(struct ksmbd_rpc_command) + resp-&gt;payload_sz;<br /> KSMBD_EVENT_SHARE_CONFIG_REQUEST:<br /> msg_sz = sizeof(struct ksmbd_share_config_response) +<br /> resp-&gt;payload_sz;<br /> KSMBD_EVENT_LOGIN_REQUEST_EXT:<br /> msg_sz = sizeof(struct ksmbd_login_response_ext) +<br /> resp-&gt;ngroups * sizeof(gid_t);<br /> <br /> resp-&gt;payload_sz is __u32 and resp-&gt;ngroups is __s32. Each addition<br /> can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes<br /> signed and size_t, so a negative ngroups is converted to SIZE_MAX<br /> before the multiply. A wrapped value of msg_sz that happens to<br /> equal entry-&gt;msg_sz bypasses the size check on the next line, and<br /> downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp-&gt;payload_sz,<br /> kmemdup in ksmbd_alloc_user using resp_ext-&gt;ngroups) then trust the<br /> unverified length.<br /> <br /> Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST<br /> paths to detect integer overflow without constraining functional<br /> payload size; userspace ksmbd-tools grows NDR responses in 4096-byte<br /> chunks for calls like NetShareEnumAll, so a hard transport cap is<br /> unworkable on the response side. For LOGIN_REQUEST_EXT, reject<br /> resp-&gt;ngroups outside the signed [0, NGROUPS_MAX] range up front and<br /> report the error from ipc_validate_msg() so it fires at the IPC<br /> boundary; with that bound the subsequent multiplication and addition<br /> stay well below UINT_MAX. The now-redundant ngroups check and<br /> pr_err in ksmbd_alloc_user() are removed.<br /> <br /> This is the response-side analogue of aab98e2dbd64 ("ksmbd: fix<br /> integer overflows on 32 bit systems"), which hardened the request<br /> side.