Linux Kernel SMB Server Batch Credit Vulnerability in Data Transfer

A vulnerability in the Linux kernel's SMB server implementation can disrupt the proper flow of reassembled data transfer messages. This issue arises when an immediate, empty send is triggered, leading to corruption in the data stream. The vulnerability is present in the stable Linux kernel versions 6.18.x. The root cause lies in the handling of send credits, which are not properly managed during data transmission, particularly when an empty send is initiated. As a result, the server can mistakenly overwrite or lose important data transfer information, causing disruptions in communication.

Impact

Exploitation of this vulnerability can lead to data corruption in SMB direct data transfers, causing disruptions in the communication stream and potentially leading to application-level errors or data loss.

Reproduction

The vulnerability can be reproduced by initiating an immediate, empty send in the SMB server's direct data transfer process. This can be done by manipulating the send credit management, causing the server to incorrectly process the data transfer messages. The issue can be observed in the stable Linux kernel versions 6.18.x, where the SMB server fails to properly handle batch credits during data transmission, leading to corruption in the reassembled data stream.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version can be found on the official Linux kernel website.