Linux Kernel ksmbd EaNameLength Validation Vulnerability in smb2_get_ea() Function

A vulnerability exists in the Linux kernel's ksmbd component, specifically within the smb2_get_ea() function. This issue arises because the function reads the EaNameLength from client requests and directly uses it in a strncmp() call without proper validation of the name's length against the actual size of the input buffer. As a result, there is a risk of unintentionally leaking uninitialized heap memory to the client. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to the unintentional disclosure of uninitialized heap memory to the client, potentially allowing for further exploitation.

Reproduction

To reproduce this vulnerability, send a client request to the ksmbd component of the Linux kernel that includes an EaNameLength value. The smb2_get_ea() function will read this length and use it in a strncmp() comparison without verifying that the length matches the size of the input buffer. This lack of validation can result in uninitialized heap values being leaked to the client.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.