bool is_chained_smb2_message(struct ksmbd_work *work)
 {
        struct smb2_hdr *hdr = work->request_buf;
-       unsigned int len;
+       unsigned int len, next_cmd;
 
        if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
                return false;
 
        hdr = ksmbd_req_buf_next(work);
-       if (le32_to_cpu(hdr->NextCommand) > 0) {
+       next_cmd = le32_to_cpu(hdr->NextCommand);
+       if (next_cmd > 0) {
+               if ((u64)work->next_smb2_rcv_hdr_off + next_cmd +
+                       __SMB2_HEADER_STRUCTURE_SIZE >
+                   get_rfc1002_len(work->request_buf)) {
+                       pr_err("next command(%u) offset exceeds smb msg size\n",
+                              next_cmd);
+                       return false;
+               }
+
                ksmbd_debug(SMB, "got SMB2 chained command\n");
                init_chained_smb2_rsp(work);
                return true;