[CIFS] Fix buffer overflow if server sends corrupt response to small

request In SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers (SMB worker functions) which are primarily affected by this change: TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes, Lock and PosixLock CC: Dave Kleikamp <shaggy@austin.ibm.com> CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
committer: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
commit: 133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree: b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/connect.c
parent: 9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index c52a76ff4bb9..26e1087e081f 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2374,7 +2374,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
        pSMB->req_no_secext.ByteCount = cpu_to_le16(count);
        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
-                         &bytes_returned, 1);
+                         &bytes_returned, CIFS_LONG_OP);
        if (rc) {
 /* rc = map_smb_to_linux_error(smb_buffer_response); now done in SendReceive */
        } else if ((smb_buffer_response->WordCount == 3)
@@ -2678,7 +2678,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
        pSMB->req.ByteCount = cpu_to_le16(count);
        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
-                         &bytes_returned, 1);
+                         &bytes_returned, CIFS_LONG_OP);
        if (smb_buffer_response->Status.CifsError ==
            cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED))
@@ -3105,7 +3105,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
        pSMB->req.ByteCount = cpu_to_le16(count);
        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response,
-                         &bytes_returned, 1);
+                         &bytes_returned, CIFS_LONG_OP);
        if (rc) {
 /*   rc = map_smb_to_linux_error(smb_buffer_response) done in SendReceive now */
        } else if ((smb_buffer_response->WordCount == 3) ||
@@ -3381,7 +3381,8 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
        pSMB->hdr.smb_buf_length += count;
        pSMB->ByteCount = cpu_to_le16(count);
-        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length, 0);
+        rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length,
+                         CIFS_STD_OP);
        /* if (rc) rc = map_smb_to_linux_error(smb_buffer_response); */
        /* above now done in SendReceive */
author	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
committer	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
commit	133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree	b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/connect.c
parent	9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)