[CIFS] Fix buffer overflow if server sends corrupt response to small

request In SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers (SMB worker functions) which are primarily affected by this change: TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes, Lock and PosixLock CC: Dave Kleikamp <shaggy@austin.ibm.com> CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
committer: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
commit: 133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree: b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/cifsglob.h
parent: 9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 87f51f23276f..4ff8179df7ec 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -471,6 +471,17 @@ struct dir_notify_req {
 #define   CIFS_LARGE_BUFFER     2
 #define   CIFS_IOVEC            4    /* array of response buffers */
+/* Type of Request to SendReceive2 */
+#define   CIFS_STD_OP           0    /* normal request timeout */
+#define   CIFS_LONG_OP          1    /* long op (up to 45 sec, oplock time) */
+#define   CIFS_VLONG_OP         2    /* sloow op - can take up to 180 seconds */
+#define   CIFS_BLOCKING_OP      4    /* operation can block */
+#define   CIFS_ASYNC_OP         8    /* do not wait for response */
+#define   CIFS_TIMEOUT_MASK 0x00F    /* only one of 5 above set in req */
+#define   CIFS_LOG_ERROR    0x010    /* log NT STATUS if non-zero */
+#define   CIFS_LARGE_BUF_OP 0x020    /* large request buffer */
+#define   CIFS_NO_RESP      0x040    /* no response buffer required */
 /* Security Flags: indicate type of session setup needed */
 #define   CIFSSEC_MAY_SIGN      0x00001
 #define   CIFSSEC_MAY_NTLM      0x00002
author	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
committer	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
commit	133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree	b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/cifsglob.h
parent	9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 87f51f23276f..4ff8179df7ec 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -471,6 +471,17 @@ struct dir_notify_req {
471	#define CIFS_LARGE_BUFFER 2	471	#define CIFS_LARGE_BUFFER 2
472	#define CIFS_IOVEC 4 /* array of response buffers */	472	#define CIFS_IOVEC 4 /* array of response buffers */
473		473
		474	/* Type of Request to SendReceive2 */
		475	#define CIFS_STD_OP 0 /* normal request timeout */
		476	#define CIFS_LONG_OP 1 /* long op (up to 45 sec, oplock time) */
		477	#define CIFS_VLONG_OP 2 /* sloow op - can take up to 180 seconds */
		478	#define CIFS_BLOCKING_OP 4 /* operation can block */
		479	#define CIFS_ASYNC_OP 8 /* do not wait for response */
		480	#define CIFS_TIMEOUT_MASK 0x00F /* only one of 5 above set in req */
		481	#define CIFS_LOG_ERROR 0x010 /* log NT STATUS if non-zero */
		482	#define CIFS_LARGE_BUF_OP 0x020 /* large request buffer */
		483	#define CIFS_NO_RESP 0x040 /* no response buffer required */
		484
474	/* Security Flags: indicate type of session setup needed */	485	/* Security Flags: indicate type of session setup needed */
475	#define CIFSSEC_MAY_SIGN 0x00001	486	#define CIFSSEC_MAY_SIGN 0x00001
476	#define CIFSSEC_MAY_NTLM 0x00002	487	#define CIFSSEC_MAY_NTLM 0x00002