From 76f726cff13185141a1435cc11e47bd1774a83d4 Mon Sep 17 00:00:00 2001
From: Makar Semyonov <m.semenov@tssltd.ru>
Date: Thu, 25 Sep 2025 15:29:48 +0800
Subject: [PATCH] cifs: prevent NULL pointer dereference in UTF16 conversion

mainline inclusion
from mainline-v6.17-rc4
commit 70bccd9855dae56942f2b18a08ba137bb54093a0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXW3
CVE: CVE-2025-39838

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=70bccd9855dae56942f2b18a08ba137bb54093a0

--------------------------------

There can be a NULL pointer dereference bug here. NULL is passed to
__cifs_sfu_make_node without checks, which passes it unchecked to
cifs_strndup_to_utf16, which in turn passes it to
cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.

This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and
returns NULL early to prevent dereferencing NULL pointer.

Found by Linux Verification Center (linuxtesting.org) with SVACE

Signed-off-by: Makar Semyonov <m.semenov@tssltd.ru>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Conflicts:
	fs/cifs/cifs_unicode.c
	fs/smb/client/cifs_unicode.c
[Code move to fs/smb dirctory in mainline]
Signed-off-by: Long Li <leo.lilong@huawei.com>
---
 fs/cifs/cifs_unicode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
index 7932e20555d2..47e38cf7ef89 100644
--- a/fs/cifs/cifs_unicode.c
+++ b/fs/cifs/cifs_unicode.c
@@ -633,6 +633,9 @@ cifs_strndup_to_utf16(const char *src, const int maxlen, int *utf16_len,
 	int len;
 	__le16 *dst;
 
+	if (!src)
+		return NULL;
+
 	len = cifs_local_to_utf16_bytes(src, maxlen, cp);
 	len += 2; /* NULL */
 	dst = kmalloc(len, GFP_KERNEL);
-- 
Gitee