diff options
| -rw-r--r-- | fs/cifs/smb2misc.c | 11 | ||||
| -rw-r--r-- | fs/cifs/smb2pdu.c | 3 |
2 files changed, 9 insertions, 5 deletions
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c index 9df9f0b48160..68ea8491c160 100644 --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c | |||
| @@ -94,7 +94,8 @@ static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = { | |||
| 94 | }; | 94 | }; |
| 95 | 95 | ||
| 96 | #ifdef CONFIG_CIFS_SMB311 | 96 | #ifdef CONFIG_CIFS_SMB311 |
| 97 | static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, __u32 non_ctxlen) | 97 | static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, __u32 non_ctxlen, |
| 98 | size_t hdr_preamble_size) | ||
| 98 | { | 99 | { |
| 99 | __u16 neg_count; | 100 | __u16 neg_count; |
| 100 | __u32 nc_offset, size_of_pad_before_neg_ctxts; | 101 | __u32 nc_offset, size_of_pad_before_neg_ctxts; |
| @@ -108,11 +109,12 @@ static __u32 get_neg_ctxt_len(struct smb2_hdr *hdr, __u32 len, __u32 non_ctxlen) | |||
| 108 | 109 | ||
| 109 | /* Make sure that negotiate contexts start after gss security blob */ | 110 | /* Make sure that negotiate contexts start after gss security blob */ |
| 110 | nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); | 111 | nc_offset = le32_to_cpu(pneg_rsp->NegotiateContextOffset); |
| 111 | if (nc_offset < non_ctxlen - 4 /* RFC1001 len field */) { | 112 | if (nc_offset < non_ctxlen - hdr_preamble_size /* RFC1001 len */) { |
| 112 | printk_once(KERN_WARNING "invalid negotiate context offset\n"); | 113 | printk_once(KERN_WARNING "invalid negotiate context offset\n"); |
| 113 | return 0; | 114 | return 0; |
| 114 | } | 115 | } |
| 115 | size_of_pad_before_neg_ctxts = nc_offset - (non_ctxlen - 4); | 116 | size_of_pad_before_neg_ctxts = nc_offset - |
| 117 | (non_ctxlen - hdr_preamble_size); | ||
| 116 | 118 | ||
| 117 | /* Verify that at least minimal negotiate contexts fit within frame */ | 119 | /* Verify that at least minimal negotiate contexts fit within frame */ |
| 118 | if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { | 120 | if (len < nc_offset + (neg_count * sizeof(struct smb2_neg_context))) { |
| @@ -235,7 +237,8 @@ smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr) | |||
| 235 | 237 | ||
| 236 | #ifdef CONFIG_CIFS_SMB311 | 238 | #ifdef CONFIG_CIFS_SMB311 |
| 237 | if (shdr->Command == SMB2_NEGOTIATE) | 239 | if (shdr->Command == SMB2_NEGOTIATE) |
| 238 | clc_len += get_neg_ctxt_len(hdr, len, clc_len); | 240 | clc_len += get_neg_ctxt_len(hdr, len, clc_len, |
| 241 | srvr->vals->header_preamble_size); | ||
| 239 | #endif /* SMB311 */ | 242 | #endif /* SMB311 */ |
| 240 | if (srvr->vals->header_preamble_size + len != clc_len) { | 243 | if (srvr->vals->header_preamble_size + len != clc_len) { |
| 241 | cifs_dbg(FYI, "Calculated size %u length %zu mismatch mid %llu\n", | 244 | cifs_dbg(FYI, "Calculated size %u length %zu mismatch mid %llu\n", |
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 5cbdddcafaec..be44c5c3e77e 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c | |||
| @@ -474,7 +474,8 @@ static int smb311_decode_neg_context(struct smb2_negotiate_rsp *rsp, | |||
| 474 | if (len_of_ctxts < sizeof(struct smb2_neg_context)) | 474 | if (len_of_ctxts < sizeof(struct smb2_neg_context)) |
| 475 | break; | 475 | break; |
| 476 | 476 | ||
| 477 | pctx = (struct smb2_neg_context *)(offset + 4 + (char *)rsp); | 477 | pctx = (struct smb2_neg_context *)(offset + |
| 478 | server->vals->header_preamble_size + (char *)rsp); | ||
| 478 | clen = le16_to_cpu(pctx->DataLength); | 479 | clen = le16_to_cpu(pctx->DataLength); |
| 479 | if (clen > len_of_ctxts) | 480 | if (clen > len_of_ctxts) |
| 480 | break; | 481 | break; |