diff options
author | Tim Gardner <tim.gardner@canonical.com> | 2013-10-13 15:29:03 -0400 |
---|---|---|
committer | Steve French <smfrench@gmail.com> | 2013-10-14 13:14:01 -0400 |
commit | 0c26606cbe4937f2228a27bb0c2cad19855be87a (patch) | |
tree | a6750a3f37ce363f9019a4a41e65384ab7383d4a /fs | |
parent | dde2356c8466298bd77fa699e0ea296372eed47b (diff) |
cifs: ntstatus_to_dos_map[] is not terminated
Functions that walk the ntstatus_to_dos_map[] array could
run off the end. For example, ntstatus_to_dos() loops
while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
this is mostly theoretical, but could be used as a DOS attack
if the error code in the SMB header is bogus.
[Might consider adding to stable, as this patch is low risk - Steve]
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/netmisc.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c index af847e1cf1c1..651a5279607b 100644 --- a/fs/cifs/netmisc.c +++ b/fs/cifs/netmisc.c | |||
@@ -780,7 +780,9 @@ static const struct { | |||
780 | ERRDOS, ERRnoaccess, 0xc0000290}, { | 780 | ERRDOS, ERRnoaccess, 0xc0000290}, { |
781 | ERRDOS, ERRbadfunc, 0xc000029c}, { | 781 | ERRDOS, ERRbadfunc, 0xc000029c}, { |
782 | ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, { | 782 | ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, { |
783 | ERRDOS, ERRinvlevel, 0x007c0001}, }; | 783 | ERRDOS, ERRinvlevel, 0x007c0001}, { |
784 | 0, 0, 0 } | ||
785 | }; | ||
784 | 786 | ||
785 | /***************************************************************************** | 787 | /***************************************************************************** |
786 | Print an error message from the status code | 788 | Print an error message from the status code |