Merge tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Five smb3/cifs fixes for stable (including for some leaks and memory
  overwrites) and also a few fixes for recent regressions in packet
  signing.

  Additional testing at the recent SMB3 test event, and some good work
  by Paulo and others spotted the issues fixed here. In addition to my
  xfstest runs on these, Aurelien and Stefano did additional test runs
  to verify this set"

* tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  cifs: Fix infinite loop when using hard mount option
  cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
  cifs: Fix memory leak in smb2_set_ea()
  cifs: fix SMB1 breakage
  cifs: Fix validation of signed data in smb2
  cifs: Fix validation of signed data in smb3+
  cifs: Fix use after free of a mid_q_entry

1 files changed, 7 insertions, 7 deletions

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 0356b5559c71..ea92a38b2f08 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -203,6 +203,7 @@ smb2_find_mid(struct TCP_Server_Info *server, char *buf)
                 if ((mid->mid == wire_mid) &&
                     (mid->mid_state == MID_REQUEST_SUBMITTED) &&
                     (mid->command == shdr->Command)) {
+                        kref_get(&mid->refcount);
                         spin_unlock(&GlobalMid_Lock);
                         return mid;
                 }
@@ -855,6 +856,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon,
 
         rc = SMB2_set_ea(xid, tcon, fid.persistent_fid, fid.volatile_fid, ea,
                          len);
+        kfree(ea);
+
         SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
 
         return rc;
@@ -2219,8 +2222,7 @@ smb2_create_lease_buf(u8 *lease_key, u8 oplock)
         if (!buf)
                 return NULL;
 
-        buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-        buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+        memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
         buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
         buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -2246,8 +2248,7 @@ smb3_create_lease_buf(u8 *lease_key, u8 oplock)
         if (!buf)
                 return NULL;
 
-        buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-        buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+        memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
         buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
         buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -2284,8 +2285,7 @@ smb3_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key)
         if (lc->lcontext.LeaseFlags & SMB2_LEASE_FLAG_BREAK_IN_PROGRESS)
                 return SMB2_OPLOCK_LEVEL_NOCHANGE;
         if (lease_key)
-                memcpy(lease_key, &lc->lcontext.LeaseKeyLow,
-                       SMB2_LEASE_KEY_SIZE);
+                memcpy(lease_key, &lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
         return le32_to_cpu(lc->lcontext.LeaseState);
 }
 
@@ -2521,7 +2521,7 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, struct smb_rqst *new_rq,
         if (!tr_hdr)
                 goto err_free_iov;
 
-        orig_len = smb2_rqst_len(old_rq, false);
+        orig_len = smb_rqst_len(server, old_rq);
 
         /* fill the 2nd iov with a transform header */
         fill_transform_hdr(tr_hdr, orig_len, old_rq);