From: Paulo Alcantara <pc@manguebit.com> mainline inclusion from mainline-v6.14-rc1 commit bfc1155030151912e7c5426449c7703dad45a890 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/7774 CVE: CVE-2025-40099 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Return -ENOENT in parse_dfs_referrals() when server returns no targets for a referral request as specified in MS-DFSC 3.1.5.4.3 Receiving a Root Referral Response or Link Referral Response: > If the referral request is successful, but the NumberOfReferrals > field in the referral header (as specified in section 2.2.4) is > 0, the DFS server could not find suitable targets to return to > the client. In this case, the client MUST fail the original I/O > operation with STATUS_OBJECT_PATH_NOT_FOUND. Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com> --- fs/smb/client/misc.c | 6 +++--- fs/smb/client/smb2ops.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index b0381c7dd15b..fb4abb1a7b2f 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -908,13 +908,13 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size, struct dfs_referral_level_3 *ref; *num_of_nodes = le16_to_cpu(rsp->NumberOfReferrals); if (*num_of_nodes < 1) { - cifs_dbg(VFS, "num_referrals: must be at least > 0, but we get num_referrals = %d\n", - *num_of_nodes); - rc = -EINVAL; + cifs_dbg(VFS | ONCE, "%s: [path=%s] num_referrals must be at least > 0, but we got %d\n", + __func__, searchName, *num_of_nodes); + rc = -ENOENT; goto parse_DFS_referrals_exit; } ref = (struct dfs_referral_level_3 *) &(rsp->referrals); if (ref->VersionNumber != cpu_to_le16(3)) { diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index c19643a37fa0..d21967cf2e47 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -2989,13 +2989,13 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses, rc = parse_dfs_referrals(dfs_rsp, dfs_rsp_size, num_of_nodes, target_nodes, nls_codepage, remap, search_name, true /* is_unicode */); - if (rc) { - cifs_tcon_dbg(VFS, "parse error in %s rc=%d\n", __func__, rc); - goto out; + if (rc && rc != -ENOENT) { + cifs_tcon_dbg(VFS, "%s: failed to parse DFS referral %s: %d\n", + __func__, search_name, rc); } out: if (tcon && !tcon->ipc) { /* ipc tcons are not refcounted */ -- 2.34.3