diff options
author | Jeff Layton <jlayton@redhat.com> | 2011-04-27 13:25:51 -0400 |
---|---|---|
committer | Steve French <sfrench@us.ibm.com> | 2011-04-29 00:57:35 -0400 |
commit | bfacf2225a955bea9c41c707fc72ba16009674a0 (patch) | |
tree | b164fd09adda6397a46d7a0e2e1438a3b5525d72 | |
parent | fafc9929c668f8bae6dd1f109f33a86d2cb3c460 (diff) |
cifs: change bleft in decode_unicode_ssetup back to signed type
The buffer length checks in this function depend on this value being a
signed data type, but 690c522fa converted it to an unsigned type.
Also, eliminate a problem with the null termination check in the same
function. cifs_strndup_from_ucs handles that situation correctly
already, and the existing check could potentially lead to a buffer
overrun since it increments bleft without checking to see whether it
falls off the end of the buffer.
Cc: stable@kernel.org
Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
-rw-r--r-- | fs/cifs/sess.c | 15 |
1 files changed, 1 insertions, 14 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index f6728eb6f4b9..2e2c91103529 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
@@ -276,7 +276,7 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, | |||
276 | } | 276 | } |
277 | 277 | ||
278 | static void | 278 | static void |
279 | decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses, | 279 | decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses, |
280 | const struct nls_table *nls_cp) | 280 | const struct nls_table *nls_cp) |
281 | { | 281 | { |
282 | int len; | 282 | int len; |
@@ -284,19 +284,6 @@ decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses, | |||
284 | 284 | ||
285 | cFYI(1, "bleft %d", bleft); | 285 | cFYI(1, "bleft %d", bleft); |
286 | 286 | ||
287 | /* | ||
288 | * Windows servers do not always double null terminate their final | ||
289 | * Unicode string. Check to see if there are an uneven number of bytes | ||
290 | * left. If so, then add an extra NULL pad byte to the end of the | ||
291 | * response. | ||
292 | * | ||
293 | * See section 2.7.2 in "Implementing CIFS" for details | ||
294 | */ | ||
295 | if (bleft % 2) { | ||
296 | data[bleft] = 0; | ||
297 | ++bleft; | ||
298 | } | ||
299 | |||
300 | kfree(ses->serverOS); | 287 | kfree(ses->serverOS); |
301 | ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp); | 288 | ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp); |
302 | cFYI(1, "serverOS=%s", ses->serverOS); | 289 | cFYI(1, "serverOS=%s", ses->serverOS); |