aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2012-01-01 10:34:39 -0500
committerSteve French <smfrench@gmail.com>2012-01-03 21:34:17 -0500
commit497728e11a9deeaea18be19fadcf7f1c85efbcf7 (patch)
tree426b57623483588f7bdc15dc01cbd0930949fac1 /fs
parentf9fab10bbd768b0e5254e53a4a8477a94bfc4b96 (diff)
cifs: fix bad buffer length check in coalesce_t2
The current check looks to see if the RFC1002 length is larger than CIFSMaxBufSize, and fails if it is. The buffer is actually larger than that by MAX_CIFS_HDR_SIZE. This bug has been around for a long time, but the fact that we used to cap the clients MaxBufferSize at the same level as the server tended to paper over it. Commit c974befa changed that however and caused this bug to bite in more cases. Reported-and-Tested-by: Konstantinos Skarlatos <k.skarlatos@gmail.com> Tested-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/connect.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 8cd4b52d4217..27c4f2551711 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -282,7 +282,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
282 byte_count = be32_to_cpu(pTargetSMB->smb_buf_length); 282 byte_count = be32_to_cpu(pTargetSMB->smb_buf_length);
283 byte_count += total_in_buf2; 283 byte_count += total_in_buf2;
284 /* don't allow buffer to overflow */ 284 /* don't allow buffer to overflow */
285 if (byte_count > CIFSMaxBufSize) 285 if (byte_count > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4)
286 return -ENOBUFS; 286 return -ENOBUFS;
287 pTargetSMB->smb_buf_length = cpu_to_be32(byte_count); 287 pTargetSMB->smb_buf_length = cpu_to_be32(byte_count);
288 288