aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
authorNamjae Jeon <linkinjeon@kernel.org>2026-06-21 19:40:37 +0900
committerSteve French <stfrench@microsoft.com>2026-06-22 20:15:05 -0500
commite50a07437a9ef5a3b2efe414643e2cdcb6b2e644 (patch)
tree8ce101947fff01149648ad43873e54d609867563 /fs
parent7d258465ea49d82668f52de96f3f0c84727003e4 (diff)
downloadath-e50a07437a9ef5a3b2efe414643e2cdcb6b2e644.tar.gz
ksmbd: preserve compound responses for chained errors
set_smb2_rsp_status() resets the response iov and compound offsets before building an error response. That is fine for a single request, but it corrupts a compound response when an error is detected after an earlier compound element has already been completed. smb2.compound.invalid4 sends a READ as the first compound element and a bogus command as the second one. The READ response must remain in the compound response with STATUS_END_OF_FILE, followed by the bogus command response with STATUS_INVALID_PARAMETER. Resetting the response state for the second command breaks the compound framing and the client reports NT_STATUS_INVALID_NETWORK_RESPONSE. When setting an error for a chained command, update and pin only the current compound response slot instead of resetting the whole response. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/smb/server/smb2pdu.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index d3bd198ec9389..35f23b427bd17 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -246,6 +246,13 @@ void set_smb2_rsp_status(struct ksmbd_work *work, __le32 err)
{
struct smb2_hdr *rsp_hdr;
+ if (work->next_smb2_rcv_hdr_off) {
+ rsp_hdr = ksmbd_resp_buf_next(work);
+ rsp_hdr->Status = err;
+ smb2_set_err_rsp(work);
+ return;
+ }
+
rsp_hdr = smb_get_msg(work->response_buf);
rsp_hdr->Status = err;