From: Dan Carpenter <dan.carpenter@linaro.org> mainline inclusion from mainline-v6.8-rc4 commit cffe487026be13eaf37ea28b783d9638ab147204 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJRD CVE: CVE-2024-26828 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Conflict: fs/cifs/smb2ops.c Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/cifs/smb2ops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index b4c73d453533..5e773fa0443a 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -462,7 +462,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, bytes_left = buf_len; p = buf; - while (bytes_left >= sizeof(*p)) { + while (bytes_left >= (ssize_t)sizeof(*p)) { nb_iface++; next = le32_to_cpu(p->Next); if (!next) { @@ -497,7 +497,7 @@ parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, info = *iface_list; bytes_left = buf_len; p = buf; - while (bytes_left >= sizeof(*p)) { + while (bytes_left >= (ssize_t)sizeof(*p)) { info->speed = le64_to_cpu(p->LinkSpeed); info->rdma_capable = le32_to_cpu(p->Capability & RDMA_CAPABLE) ? 1 : 0; info->rss_capable = le32_to_cpu(p->Capability & RSS_CAPABLE) ? 1 : 0; -- 2.31.1