The check of DataOffset in smb2_write_pipe() is insufficient. If
DataOffset is 0 or smaller than offsetof(struct smb2_write_req, Buffer),
data_buf will point to the SMB2 header instead of the actual data
buffer, leading to out-of-bounds read.

This is the same issue that was fixed in smb2_write() by commit
ac60778b87e4 ("ksmbd: prevent out of bound read for SMB2_WRITE"),
but the fix was not applied to smb2_write_pipe().

Add a check to ensure DataOffset is at least offsetof(struct
smb2_write_req, Buffer) to prevent this issue.

Fixes: 158a66b245739 ("ksmbd: validate length in smb2_write()")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 fs/smb/server/smb2pdu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 2fcd0d4d1fb0..1f1086023e74 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -6932,6 +6932,12 @@ static noinline int smb2_write_pipe(struct ksmbd_work *work)
 		goto out;
 	}
 
+	if (le16_to_cpu(req->DataOffset) <
+	    offsetof(struct smb2_write_req, Buffer)) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
 			   le16_to_cpu(req->DataOffset));
 
-- 
2.34.1

On Thu, Jan 22, 2026 at 11:10 AM Kery Qi <qikeyu2017@gmail.com> wrote:
>
> The check of DataOffset in smb2_write_pipe() is insufficient. If
> DataOffset is 0 or smaller than offsetof(struct smb2_write_req, Buffer),
> data_buf will point to the SMB2 header instead of the actual data
> buffer, leading to out-of-bounds read.
How can out-of-bounds occur when the previous checks ensure that the
length does not exceed the request buffer?