diff options
| author | Jeff Layton <jlayton@redhat.com> | 2011-12-01 20:23:34 -0500 |
|---|---|---|
| committer | Steve French <smfrench@gmail.com> | 2011-12-08 23:04:47 -0500 |
| commit | 7023676f9ee851d94f0942e879243fc1f9081c47 (patch) | |
| tree | 6aac4d2bbaae57306fa320beb4282c380171a8e2 /fs/cifs/readdir.c | |
| parent | 95edcff497b126a3f3e079e94b20fe2ca7e5a63d (diff) | |
cifs: check for NULL last_entry before calling cifs_save_resume_key
Prior to commit eaf35b1, cifs_save_resume_key had some NULL pointer
checks at the top. It turns out that at least one of those NULL
pointer checks is needed after all.
When the LastNameOffset in a FIND reply appears to be beyond the end of
the buffer, CIFSFindFirst and CIFSFindNext will set srch_inf.last_entry
to NULL. Since eaf35b1, the code will now oops in this situation.
Fix this by having the callers check for a NULL last entry pointer
before calling cifs_save_resume_key. No change is needed for the
call site in cifs_readdir as it's not reachable with a NULL
current_entry pointer.
This should fix:
https://bugzilla.redhat.com/show_bug.cgi?id=750247
Cc: stable@vger.kernel.org
Cc: Christoph Hellwig <hch@infradead.org>
Reported-by: Adam G. Metzler <adamgmetzler@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/readdir.c')
| -rw-r--r-- | fs/cifs/readdir.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c index 5de03ec20144..a090bbe6ee29 100644 --- a/fs/cifs/readdir.c +++ b/fs/cifs/readdir.c | |||
| @@ -554,7 +554,10 @@ static int find_cifs_entry(const int xid, struct cifs_tcon *pTcon, | |||
| 554 | rc); | 554 | rc); |
| 555 | return rc; | 555 | return rc; |
| 556 | } | 556 | } |
| 557 | cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile); | 557 | /* FindFirst/Next set last_entry to NULL on malformed reply */ |
| 558 | if (cifsFile->srch_inf.last_entry) | ||
| 559 | cifs_save_resume_key(cifsFile->srch_inf.last_entry, | ||
| 560 | cifsFile); | ||
| 558 | } | 561 | } |
| 559 | 562 | ||
| 560 | while ((index_to_find >= cifsFile->srch_inf.index_of_last_entry) && | 563 | while ((index_to_find >= cifsFile->srch_inf.index_of_last_entry) && |
| @@ -562,7 +565,10 @@ static int find_cifs_entry(const int xid, struct cifs_tcon *pTcon, | |||
| 562 | cFYI(1, "calling findnext2"); | 565 | cFYI(1, "calling findnext2"); |
| 563 | rc = CIFSFindNext(xid, pTcon, cifsFile->netfid, | 566 | rc = CIFSFindNext(xid, pTcon, cifsFile->netfid, |
| 564 | &cifsFile->srch_inf); | 567 | &cifsFile->srch_inf); |
| 565 | cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile); | 568 | /* FindFirst/Next set last_entry to NULL on malformed reply */ |
| 569 | if (cifsFile->srch_inf.last_entry) | ||
| 570 | cifs_save_resume_key(cifsFile->srch_inf.last_entry, | ||
| 571 | cifsFile); | ||
| 566 | if (rc) | 572 | if (rc) |
| 567 | return -ENOENT; | 573 | return -ENOENT; |
| 568 | } | 574 | } |