aboutsummaryrefslogtreecommitdiffstats
path: root/fs/cifs/connect.c
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2011-04-27 13:29:49 -0400
committerSteve French <sfrench@us.ibm.com>2011-04-29 01:02:08 -0400
commit2a2047bc94d0efc316401170c3d078d9edc20dc4 (patch)
treefb085ee1125e6f754c817df84cc603e56d664c52 /fs/cifs/connect.c
parentfcda7f4578bbf9717444ca6da8a421d21489d078 (diff)
cifs: sanitize length checking in coalesce_t2 (try #3)
There are a couple of places in this code where these values can wrap or go negative, and that could potentially end up overflowing the buffer. Ensure that that doesn't happen. Do all of the length calculation and checks first, and only perform the memcpy after they pass. Also, increase some stack variables to 32 bits to ensure that they don't wrap without being detected. Finally, change the error codes to be a bit more descriptive of any problems detected. -EINVAL isn't very accurate. Cc: stable@kernel.org Reported-and-Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/cifs/connect.c')
-rw-r--r--fs/cifs/connect.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4bc862a80efa..8b75a8ec90b4 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
274 char *data_area_of_target; 274 char *data_area_of_target;
275 char *data_area_of_buf2; 275 char *data_area_of_buf2;
276 int remaining; 276 int remaining;
277 __u16 byte_count, total_data_size, total_in_buf, total_in_buf2; 277 unsigned int byte_count, total_in_buf;
278 __u16 total_data_size, total_in_buf2;
278 279
279 total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount); 280 total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
280 281
@@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
287 remaining = total_data_size - total_in_buf; 288 remaining = total_data_size - total_in_buf;
288 289
289 if (remaining < 0) 290 if (remaining < 0)
290 return -EINVAL; 291 return -EPROTO;
291 292
292 if (remaining == 0) /* nothing to do, ignore */ 293 if (remaining == 0) /* nothing to do, ignore */
293 return 0; 294 return 0;
@@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
308 data_area_of_target += total_in_buf; 309 data_area_of_target += total_in_buf;
309 310
310 /* copy second buffer into end of first buffer */ 311 /* copy second buffer into end of first buffer */
311 memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
312 total_in_buf += total_in_buf2; 312 total_in_buf += total_in_buf2;
313 /* is the result too big for the field? */
314 if (total_in_buf > USHRT_MAX)
315 return -EPROTO;
313 put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount); 316 put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
317
318 /* fix up the BCC */
314 byte_count = get_bcc_le(pTargetSMB); 319 byte_count = get_bcc_le(pTargetSMB);
315 byte_count += total_in_buf2; 320 byte_count += total_in_buf2;
321 /* is the result too big for the field? */
322 if (byte_count > USHRT_MAX)
323 return -EPROTO;
316 put_bcc_le(byte_count, pTargetSMB); 324 put_bcc_le(byte_count, pTargetSMB);
317 325
318 byte_count = pTargetSMB->smb_buf_length; 326 byte_count = pTargetSMB->smb_buf_length;
319 byte_count += total_in_buf2; 327 byte_count += total_in_buf2;
320 328 /* don't allow buffer to overflow */
321 /* BB also add check that we are not beyond maximum buffer size */ 329 if (byte_count > CIFSMaxBufSize)
322 330 return -ENOBUFS;
323 pTargetSMB->smb_buf_length = byte_count; 331 pTargetSMB->smb_buf_length = byte_count;
324 332
333 memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
334
325 if (remaining == total_in_buf2) { 335 if (remaining == total_in_buf2) {
326 cFYI(1, "found the last secondary response"); 336 cFYI(1, "found the last secondary response");
327 return 0; /* we are done */ 337 return 0; /* we are done */