[CIFS] Fix buffer overflow if server sends corrupt response to small

request In SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers (SMB worker functions) which are primarily affected by this change: TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes, Lock and PosixLock CC: Dave Kleikamp <shaggy@austin.ibm.com> CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
committer: Steve French <sfrench@us.ibm.com> 2007-11-13 17:41:37 -0500
commit: 133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree: b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/file.c
parent: 9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 68ad4ca0cfa3..82326d2142e7 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -835,9 +835,9 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
        xid = GetXid();
        if (*poffset > file->f_path.dentry->d_inode->i_size)
-                long_op = 2; /* writes past end of file can take a long time */
+                long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
        else
-                long_op = 1;
+                long_op = CIFS_LONG_OP;
        for (total_written = 0; write_size > total_written;
             total_written += bytes_written) {
@@ -884,7 +884,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
                        }
                } else
                        *poffset += bytes_written;
-                long_op = FALSE; /* subsequent writes fast -
+                long_op = CIFS_STD_OP; /* subsequent writes fast -
                                    15 seconds is plenty */
        }
@@ -934,9 +934,9 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
        xid = GetXid();
        if (*poffset > file->f_path.dentry->d_inode->i_size)
-                long_op = 2; /* writes past end of file can take a long time */
+                long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
        else
-                long_op = 1;
+                long_op = CIFS_LONG_OP;
        for (total_written = 0; write_size > total_written;
             total_written += bytes_written) {
@@ -1002,7 +1002,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
                        }
                } else
                        *poffset += bytes_written;
-                long_op = FALSE; /* subsequent writes fast -
+                long_op = CIFS_STD_OP; /* subsequent writes fast -
                                    15 seconds is plenty */
        }
@@ -1360,7 +1360,7 @@ retry:
                                                   open_file->netfid,
                                                   bytes_to_write, offset,
                                                   &bytes_written, iov, n_iov,
-                                                   1);
+                                                   CIFS_LONG_OP);
                                atomic_dec(&open_file->wrtPending);
                                if (rc || bytes_written < bytes_to_write) {
                                        cERROR(1, ("Write2 ret %d, wrote %d",
author	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
committer	Steve French <sfrench@us.ibm.com>	2007-11-13 17:41:37 -0500
commit	133672efbc1085f9af990bdc145e1822ea93bcf3 (patch)
tree	b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/cifs/file.c
parent	9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff)

diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 68ad4ca0cfa3..82326d2142e7 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c
@@ -835,9 +835,9 @@ ssize_t cifs_user_write(struct file file, const char __user write_data,
835	xid = GetXid();	835	xid = GetXid();
836		836
837	if (*poffset > file->f_path.dentry->d_inode->i_size)	837	if (*poffset > file->f_path.dentry->d_inode->i_size)
838	long_op = 2; /* writes past end of file can take a long time */	838	long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
839	else	839	else
840	long_op = 1;	840	long_op = CIFS_LONG_OP;
841		841
842	for (total_written = 0; write_size > total_written;	842	for (total_written = 0; write_size > total_written;
843	total_written += bytes_written) {	843	total_written += bytes_written) {
@@ -884,7 +884,7 @@ ssize_t cifs_user_write(struct file file, const char __user write_data,
884	}	884	}
885	} else	885	} else
886	*poffset += bytes_written;	886	*poffset += bytes_written;
887	long_op = FALSE; /* subsequent writes fast -	887	long_op = CIFS_STD_OP; /* subsequent writes fast -
888	15 seconds is plenty */	888	15 seconds is plenty */
889	}	889	}
890		890
@@ -934,9 +934,9 @@ static ssize_t cifs_write(struct file file, const char write_data,
934	xid = GetXid();	934	xid = GetXid();
935		935
936	if (*poffset > file->f_path.dentry->d_inode->i_size)	936	if (*poffset > file->f_path.dentry->d_inode->i_size)
937	long_op = 2; /* writes past end of file can take a long time */	937	long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
938	else	938	else
939	long_op = 1;	939	long_op = CIFS_LONG_OP;
940		940
941	for (total_written = 0; write_size > total_written;	941	for (total_written = 0; write_size > total_written;
942	total_written += bytes_written) {	942	total_written += bytes_written) {
@@ -1002,7 +1002,7 @@ static ssize_t cifs_write(struct file file, const char write_data,
1002	}	1002	}
1003	} else	1003	} else
1004	*poffset += bytes_written;	1004	*poffset += bytes_written;
1005	long_op = FALSE; /* subsequent writes fast -	1005	long_op = CIFS_STD_OP; /* subsequent writes fast -
1006	15 seconds is plenty */	1006	15 seconds is plenty */
1007	}	1007	}
1008		1008
@@ -1360,7 +1360,7 @@ retry:
1360	open_file->netfid,	1360	open_file->netfid,
1361	bytes_to_write, offset,	1361	bytes_to_write, offset,
1362	&bytes_written, iov, n_iov,	1362	&bytes_written, iov, n_iov,
1363	1);	1363	CIFS_LONG_OP);
1364	atomic_dec(&open_file->wrtPending);	1364	atomic_dec(&open_file->wrtPending);
1365	if (rc \|\| bytes_written < bytes_to_write) {	1365	if (rc \|\| bytes_written < bytes_to_write) {
1366	cERROR(1, ("Write2 ret %d, wrote %d",	1366	cERROR(1, ("Write2 ret %d, wrote %d",