ksmbd: the buffer of smb2 query dir response has at least 1 byte

When STATUS_NO_MORE_FILES status is set to smb2 query dir response,
->StructureSize is set to 9, which mean buffer has 1 byte.
This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to
flex-array.

Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
Cc: stable@vger.kernel.org # v6.1+
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 0bc9edf22ba4076b731e67d411173b2670687170..e9204180919e35e5c5cb758ff7527e8375590682 100644 (file)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4409,7 +4409,8 @@ int smb2_query_dir(struct ksmbd_work *work)
                rsp->OutputBufferLength = cpu_to_le32(0);
                rsp->Buffer[0] = 0;
                rc = ksmbd_iov_pin_rsp(work, (void *)rsp,
-                                      sizeof(struct smb2_query_directory_rsp));
+                                      offsetof(struct smb2_query_directory_rsp, Buffer)
+                                      + 1);
                if (rc)
                        goto err_out;
        } else {