aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2011-01-20 13:36:51 -0500
committerSteve French <sfrench@us.ibm.com>2011-01-20 16:47:54 -0500
commit26ec254869c0158ea8db6de83b7644e2d93cac2a (patch)
treec011b56ea2b519f8988b7965ab318e480a6c4fc9
parent12df83c9b901cfe8ca7a66fbe0effc6d873cbbb9 (diff)
cifs: fix unaligned access in check2ndT2 and coalesce_t2
Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Pavel Shilovsky <piastryyy@gmail.com> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat
-rw-r--r--fs/cifs/connect.c33
1 files changed, 14 insertions, 19 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index ca20e813275d..18d3c7724d6e 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -232,9 +232,8 @@ cifs_reconnect(struct TCP_Server_Info *server)
232static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize) 232static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
233{ 233{
234 struct smb_t2_rsp *pSMBt; 234 struct smb_t2_rsp *pSMBt;
235 int total_data_size;
236 int data_in_this_rsp;
237 int remaining; 235 int remaining;
236 __u16 total_data_size, data_in_this_rsp;
238 237
239 if (pSMB->Command != SMB_COM_TRANSACTION2) 238 if (pSMB->Command != SMB_COM_TRANSACTION2)
240 return 0; 239 return 0;
@@ -248,8 +247,8 @@ static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
248 247
249 pSMBt = (struct smb_t2_rsp *)pSMB; 248 pSMBt = (struct smb_t2_rsp *)pSMB;
250 249
251 total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); 250 total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
252 data_in_this_rsp = le16_to_cpu(pSMBt->t2_rsp.DataCount); 251 data_in_this_rsp = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
253 252
254 remaining = total_data_size - data_in_this_rsp; 253 remaining = total_data_size - data_in_this_rsp;
255 254
@@ -275,21 +274,18 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
275{ 274{
276 struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond; 275 struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond;
277 struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB; 276 struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB;
278 int total_data_size;
279 int total_in_buf;
280 int remaining;
281 int total_in_buf2;
282 char *data_area_of_target; 277 char *data_area_of_target;
283 char *data_area_of_buf2; 278 char *data_area_of_buf2;
284 __u16 byte_count; 279 int remaining;
280 __u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
285 281
286 total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); 282 total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
287 283
288 if (total_data_size != le16_to_cpu(pSMB2->t2_rsp.TotalDataCount)) { 284 if (total_data_size !=
285 get_unaligned_le16(&pSMB2->t2_rsp.TotalDataCount))
289 cFYI(1, "total data size of primary and secondary t2 differ"); 286 cFYI(1, "total data size of primary and secondary t2 differ");
290 }
291 287
292 total_in_buf = le16_to_cpu(pSMBt->t2_rsp.DataCount); 288 total_in_buf = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
293 289
294 remaining = total_data_size - total_in_buf; 290 remaining = total_data_size - total_in_buf;
295 291
@@ -299,25 +295,25 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
299 if (remaining == 0) /* nothing to do, ignore */ 295 if (remaining == 0) /* nothing to do, ignore */
300 return 0; 296 return 0;
301 297
302 total_in_buf2 = le16_to_cpu(pSMB2->t2_rsp.DataCount); 298 total_in_buf2 = get_unaligned_le16(&pSMB2->t2_rsp.DataCount);
303 if (remaining < total_in_buf2) { 299 if (remaining < total_in_buf2) {
304 cFYI(1, "transact2 2nd response contains too much data"); 300 cFYI(1, "transact2 2nd response contains too much data");
305 } 301 }
306 302
307 /* find end of first SMB data area */ 303 /* find end of first SMB data area */
308 data_area_of_target = (char *)&pSMBt->hdr.Protocol + 304 data_area_of_target = (char *)&pSMBt->hdr.Protocol +
309 le16_to_cpu(pSMBt->t2_rsp.DataOffset); 305 get_unaligned_le16(&pSMBt->t2_rsp.DataOffset);
310 /* validate target area */ 306 /* validate target area */
311 307
312 data_area_of_buf2 = (char *) &pSMB2->hdr.Protocol + 308 data_area_of_buf2 = (char *)&pSMB2->hdr.Protocol +
313 le16_to_cpu(pSMB2->t2_rsp.DataOffset); 309 get_unaligned_le16(&pSMB2->t2_rsp.DataOffset);
314 310
315 data_area_of_target += total_in_buf; 311 data_area_of_target += total_in_buf;
316 312
317 /* copy second buffer into end of first buffer */ 313 /* copy second buffer into end of first buffer */
318 memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); 314 memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
319 total_in_buf += total_in_buf2; 315 total_in_buf += total_in_buf2;
320 pSMBt->t2_rsp.DataCount = cpu_to_le16(total_in_buf); 316 put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
321 byte_count = get_bcc_le(pTargetSMB); 317 byte_count = get_bcc_le(pTargetSMB);
322 byte_count += total_in_buf2; 318 byte_count += total_in_buf2;
323 put_bcc_le(byte_count, pTargetSMB); 319 put_bcc_le(byte_count, pTargetSMB);
@@ -334,7 +330,6 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
334 return 0; /* we are done */ 330 return 0; /* we are done */
335 } else /* more responses to go */ 331 } else /* more responses to go */
336 return 1; 332 return 1;
337
338} 333}
339 334
340static void 335static void
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-24 20:47:48 -0500