diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-11-10 00:59:35 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-11-10 00:59:35 -0500 |
commit | affd9a8dbc22beadae1186aa060685d6f6a06792 (patch) | |
tree | 38979f4809c5364420035a036b594fef2d7fc539 /fs | |
parent | 487bda54d776f2ff094b5498429c1a85da165723 (diff) | |
parent | 3798f47aa276b332c30da499cb4df4577e2f8872 (diff) |
Merge branch 'for-linus' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs fixes from Jeff Layton.
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Do not lookup hashed negative dentry in cifs_atomic_open
cifs: fix potential buffer overrun in cifs.idmap handling code
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/cifsacl.c | 49 | ||||
-rw-r--r-- | fs/cifs/dir.c | 11 |
2 files changed, 30 insertions, 30 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index fc783e264420..0fb15bbbe43c 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c | |||
@@ -225,6 +225,13 @@ sid_to_str(struct cifs_sid *sidptr, char *sidstr) | |||
225 | } | 225 | } |
226 | 226 | ||
227 | static void | 227 | static void |
228 | cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src) | ||
229 | { | ||
230 | memcpy(dst, src, sizeof(*dst)); | ||
231 | dst->num_subauth = min_t(u8, src->num_subauth, NUM_SUBAUTHS); | ||
232 | } | ||
233 | |||
234 | static void | ||
228 | id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr, | 235 | id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr, |
229 | struct cifs_sid_id **psidid, char *typestr) | 236 | struct cifs_sid_id **psidid, char *typestr) |
230 | { | 237 | { |
@@ -248,7 +255,7 @@ id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr, | |||
248 | } | 255 | } |
249 | } | 256 | } |
250 | 257 | ||
251 | memcpy(&(*psidid)->sid, sidptr, sizeof(struct cifs_sid)); | 258 | cifs_copy_sid(&(*psidid)->sid, sidptr); |
252 | (*psidid)->time = jiffies - (SID_MAP_RETRY + 1); | 259 | (*psidid)->time = jiffies - (SID_MAP_RETRY + 1); |
253 | (*psidid)->refcount = 0; | 260 | (*psidid)->refcount = 0; |
254 | 261 | ||
@@ -354,7 +361,7 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid) | |||
354 | * any fields of the node after a reference is put . | 361 | * any fields of the node after a reference is put . |
355 | */ | 362 | */ |
356 | if (test_bit(SID_ID_MAPPED, &psidid->state)) { | 363 | if (test_bit(SID_ID_MAPPED, &psidid->state)) { |
357 | memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid)); | 364 | cifs_copy_sid(ssid, &psidid->sid); |
358 | psidid->time = jiffies; /* update ts for accessing */ | 365 | psidid->time = jiffies; /* update ts for accessing */ |
359 | goto id_sid_out; | 366 | goto id_sid_out; |
360 | } | 367 | } |
@@ -370,14 +377,14 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid) | |||
370 | if (IS_ERR(sidkey)) { | 377 | if (IS_ERR(sidkey)) { |
371 | rc = -EINVAL; | 378 | rc = -EINVAL; |
372 | cFYI(1, "%s: Can't map and id to a SID", __func__); | 379 | cFYI(1, "%s: Can't map and id to a SID", __func__); |
380 | } else if (sidkey->datalen < sizeof(struct cifs_sid)) { | ||
381 | rc = -EIO; | ||
382 | cFYI(1, "%s: Downcall contained malformed key " | ||
383 | "(datalen=%hu)", __func__, sidkey->datalen); | ||
373 | } else { | 384 | } else { |
374 | lsid = (struct cifs_sid *)sidkey->payload.data; | 385 | lsid = (struct cifs_sid *)sidkey->payload.data; |
375 | memcpy(&psidid->sid, lsid, | 386 | cifs_copy_sid(&psidid->sid, lsid); |
376 | sidkey->datalen < sizeof(struct cifs_sid) ? | 387 | cifs_copy_sid(ssid, &psidid->sid); |
377 | sidkey->datalen : sizeof(struct cifs_sid)); | ||
378 | memcpy(ssid, &psidid->sid, | ||
379 | sidkey->datalen < sizeof(struct cifs_sid) ? | ||
380 | sidkey->datalen : sizeof(struct cifs_sid)); | ||
381 | set_bit(SID_ID_MAPPED, &psidid->state); | 388 | set_bit(SID_ID_MAPPED, &psidid->state); |
382 | key_put(sidkey); | 389 | key_put(sidkey); |
383 | kfree(psidid->sidstr); | 390 | kfree(psidid->sidstr); |
@@ -396,7 +403,7 @@ id_to_sid(unsigned long cid, uint sidtype, struct cifs_sid *ssid) | |||
396 | return rc; | 403 | return rc; |
397 | } | 404 | } |
398 | if (test_bit(SID_ID_MAPPED, &psidid->state)) | 405 | if (test_bit(SID_ID_MAPPED, &psidid->state)) |
399 | memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid)); | 406 | cifs_copy_sid(ssid, &psidid->sid); |
400 | else | 407 | else |
401 | rc = -EINVAL; | 408 | rc = -EINVAL; |
402 | } | 409 | } |
@@ -675,8 +682,6 @@ int compare_sids(const struct cifs_sid *ctsid, const struct cifs_sid *cwsid) | |||
675 | static void copy_sec_desc(const struct cifs_ntsd *pntsd, | 682 | static void copy_sec_desc(const struct cifs_ntsd *pntsd, |
676 | struct cifs_ntsd *pnntsd, __u32 sidsoffset) | 683 | struct cifs_ntsd *pnntsd, __u32 sidsoffset) |
677 | { | 684 | { |
678 | int i; | ||
679 | |||
680 | struct cifs_sid *owner_sid_ptr, *group_sid_ptr; | 685 | struct cifs_sid *owner_sid_ptr, *group_sid_ptr; |
681 | struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr; | 686 | struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr; |
682 | 687 | ||
@@ -692,26 +697,14 @@ static void copy_sec_desc(const struct cifs_ntsd *pntsd, | |||
692 | owner_sid_ptr = (struct cifs_sid *)((char *)pntsd + | 697 | owner_sid_ptr = (struct cifs_sid *)((char *)pntsd + |
693 | le32_to_cpu(pntsd->osidoffset)); | 698 | le32_to_cpu(pntsd->osidoffset)); |
694 | nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset); | 699 | nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset); |
695 | 700 | cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr); | |
696 | nowner_sid_ptr->revision = owner_sid_ptr->revision; | ||
697 | nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth; | ||
698 | for (i = 0; i < 6; i++) | ||
699 | nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i]; | ||
700 | for (i = 0; i < 5; i++) | ||
701 | nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i]; | ||
702 | 701 | ||
703 | /* copy group sid */ | 702 | /* copy group sid */ |
704 | group_sid_ptr = (struct cifs_sid *)((char *)pntsd + | 703 | group_sid_ptr = (struct cifs_sid *)((char *)pntsd + |
705 | le32_to_cpu(pntsd->gsidoffset)); | 704 | le32_to_cpu(pntsd->gsidoffset)); |
706 | ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset + | 705 | ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset + |
707 | sizeof(struct cifs_sid)); | 706 | sizeof(struct cifs_sid)); |
708 | 707 | cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr); | |
709 | ngroup_sid_ptr->revision = group_sid_ptr->revision; | ||
710 | ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth; | ||
711 | for (i = 0; i < 6; i++) | ||
712 | ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i]; | ||
713 | for (i = 0; i < 5; i++) | ||
714 | ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i]; | ||
715 | 708 | ||
716 | return; | 709 | return; |
717 | } | 710 | } |
@@ -1120,8 +1113,7 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, | |||
1120 | kfree(nowner_sid_ptr); | 1113 | kfree(nowner_sid_ptr); |
1121 | return rc; | 1114 | return rc; |
1122 | } | 1115 | } |
1123 | memcpy(owner_sid_ptr, nowner_sid_ptr, | 1116 | cifs_copy_sid(owner_sid_ptr, nowner_sid_ptr); |
1124 | sizeof(struct cifs_sid)); | ||
1125 | kfree(nowner_sid_ptr); | 1117 | kfree(nowner_sid_ptr); |
1126 | *aclflag = CIFS_ACL_OWNER; | 1118 | *aclflag = CIFS_ACL_OWNER; |
1127 | } | 1119 | } |
@@ -1139,8 +1131,7 @@ static int build_sec_desc(struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, | |||
1139 | kfree(ngroup_sid_ptr); | 1131 | kfree(ngroup_sid_ptr); |
1140 | return rc; | 1132 | return rc; |
1141 | } | 1133 | } |
1142 | memcpy(group_sid_ptr, ngroup_sid_ptr, | 1134 | cifs_copy_sid(group_sid_ptr, ngroup_sid_ptr); |
1143 | sizeof(struct cifs_sid)); | ||
1144 | kfree(ngroup_sid_ptr); | 1135 | kfree(ngroup_sid_ptr); |
1145 | *aclflag = CIFS_ACL_GROUP; | 1136 | *aclflag = CIFS_ACL_GROUP; |
1146 | } | 1137 | } |
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c index 7c0a81283645..d3671f2acb29 100644 --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c | |||
@@ -398,7 +398,16 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry, | |||
398 | * in network traffic in the other paths. | 398 | * in network traffic in the other paths. |
399 | */ | 399 | */ |
400 | if (!(oflags & O_CREAT)) { | 400 | if (!(oflags & O_CREAT)) { |
401 | struct dentry *res = cifs_lookup(inode, direntry, 0); | 401 | struct dentry *res; |
402 | |||
403 | /* | ||
404 | * Check for hashed negative dentry. We have already revalidated | ||
405 | * the dentry and it is fine. No need to perform another lookup. | ||
406 | */ | ||
407 | if (!d_unhashed(direntry)) | ||
408 | return -ENOENT; | ||
409 | |||
410 | res = cifs_lookup(inode, direntry, 0); | ||
402 | if (IS_ERR(res)) | 411 | if (IS_ERR(res)) |
403 | return PTR_ERR(res); | 412 | return PTR_ERR(res); |
404 | 413 | ||