aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorTim Gardner <tim.gardner@canonical.com>2013-10-13 15:29:03 -0400
committerSteve French <smfrench@gmail.com>2013-10-14 13:14:01 -0400
commit0c26606cbe4937f2228a27bb0c2cad19855be87a (patch)
treea6750a3f37ce363f9019a4a41e65384ab7383d4a /fs
parentdde2356c8466298bd77fa699e0ea296372eed47b (diff)
cifs: ntstatus_to_dos_map[] is not terminated
Functions that walk the ntstatus_to_dos_map[] array could run off the end. For example, ntstatus_to_dos() loops while ntstatus_to_dos_map[].ntstatus is not 0. Granted, this is mostly theoretical, but could be used as a DOS attack if the error code in the SMB header is bogus. [Might consider adding to stable, as this patch is low risk - Steve] Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/netmisc.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
index af847e1cf1c1..651a5279607b 100644
--- a/fs/cifs/netmisc.c
+++ b/fs/cifs/netmisc.c
@@ -780,7 +780,9 @@ static const struct {
780 ERRDOS, ERRnoaccess, 0xc0000290}, { 780 ERRDOS, ERRnoaccess, 0xc0000290}, {
781 ERRDOS, ERRbadfunc, 0xc000029c}, { 781 ERRDOS, ERRbadfunc, 0xc000029c}, {
782 ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, { 782 ERRDOS, ERRsymlink, NT_STATUS_STOPPED_ON_SYMLINK}, {
783 ERRDOS, ERRinvlevel, 0x007c0001}, }; 783 ERRDOS, ERRinvlevel, 0x007c0001}, {
784 0, 0, 0 }
785};
784 786
785/***************************************************************************** 787/*****************************************************************************
786 Print an error message from the status code 788 Print an error message from the status code