aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve French <sfrench@us.ibm.com>2008-10-08 15:13:46 -0400
committerSteve French <sfrench@us.ibm.com>2008-10-08 15:13:46 -0400
commitb77d753c413e02559669df66e543869dad40c847 (patch)
tree95946079a0b58c06a6e98b22b06f86a89fe68749
parent0752f1522a9120f731232919f7ad904e9e22b8ce (diff)
[CIFS] Check that last search entry resume key is valid
Jeff's recent patch to add a last_entry field in the search structure to better construct resume keys did not validate that the server sent us a plausible pointer to the last entry. This adds that. Signed-off-by: Steve French <sfrench@us.ibm.com>
-rw-r--r--fs/cifs/cifssmb.c27
1 files changed, 24 insertions, 3 deletions
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 7b00a16e1352..6f4ffe15d68d 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -3614,6 +3614,8 @@ findFirstRetry:
3614 /* BB remember to free buffer if error BB */ 3614 /* BB remember to free buffer if error BB */
3615 rc = validate_t2((struct smb_t2_rsp *)pSMBr); 3615 rc = validate_t2((struct smb_t2_rsp *)pSMBr);
3616 if (rc == 0) { 3616 if (rc == 0) {
3617 unsigned int lnoff;
3618
3617 if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE) 3619 if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
3618 psrch_inf->unicode = true; 3620 psrch_inf->unicode = true;
3619 else 3621 else
@@ -3636,8 +3638,17 @@ findFirstRetry:
3636 le16_to_cpu(parms->SearchCount); 3638 le16_to_cpu(parms->SearchCount);
3637 psrch_inf->index_of_last_entry = 2 /* skip . and .. */ + 3639 psrch_inf->index_of_last_entry = 2 /* skip . and .. */ +
3638 psrch_inf->entries_in_buffer; 3640 psrch_inf->entries_in_buffer;
3641 lnoff = le16_to_cpu(parms->LastNameOffset);
3642 if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
3643 lnoff) {
3644 cERROR(1, ("ignoring corrupt resume name"));
3645 psrch_inf->last_entry = NULL;
3646 return rc;
3647 }
3648
3639 psrch_inf->last_entry = psrch_inf->srch_entries_start + 3649 psrch_inf->last_entry = psrch_inf->srch_entries_start +
3640 le16_to_cpu(parms->LastNameOffset); 3650 lnoff;
3651
3641 *pnetfid = parms->SearchHandle; 3652 *pnetfid = parms->SearchHandle;
3642 } else { 3653 } else {
3643 cifs_buf_release(pSMB); 3654 cifs_buf_release(pSMB);
@@ -3727,6 +3738,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
3727 rc = validate_t2((struct smb_t2_rsp *)pSMBr); 3738 rc = validate_t2((struct smb_t2_rsp *)pSMBr);
3728 3739
3729 if (rc == 0) { 3740 if (rc == 0) {
3741 unsigned int lnoff;
3742
3730 /* BB fixme add lock for file (srch_info) struct here */ 3743 /* BB fixme add lock for file (srch_info) struct here */
3731 if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE) 3744 if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
3732 psrch_inf->unicode = true; 3745 psrch_inf->unicode = true;
@@ -3753,8 +3766,16 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
3753 le16_to_cpu(parms->SearchCount); 3766 le16_to_cpu(parms->SearchCount);
3754 psrch_inf->index_of_last_entry += 3767 psrch_inf->index_of_last_entry +=
3755 psrch_inf->entries_in_buffer; 3768 psrch_inf->entries_in_buffer;
3756 psrch_inf->last_entry = psrch_inf->srch_entries_start + 3769 lnoff = le16_to_cpu(parms->LastNameOffset);
3757 le16_to_cpu(parms->LastNameOffset); 3770 if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
3771 lnoff) {
3772 cERROR(1, ("ignoring corrupt resume name"));
3773 psrch_inf->last_entry = NULL;
3774 return rc;
3775 } else
3776 psrch_inf->last_entry =
3777 psrch_inf->srch_entries_start + lnoff;
3778
3758/* cFYI(1,("fnxt2 entries in buf %d index_of_last %d", 3779/* cFYI(1,("fnxt2 entries in buf %d index_of_last %d",
3759 psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */ 3780 psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */
3760 3781