1 files changed, 16 insertions, 6 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4bc862a80efa..8b75a8ec90b4 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        char *data_area_of_target;
        char *data_area_of_buf2;
        int remaining;
-        __u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
+        unsigned int byte_count, total_in_buf;
+        __u16 total_data_size, total_in_buf2;
        total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
@@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        remaining = total_data_size - total_in_buf;
        if (remaining < 0)
-                return -EINVAL;
+                return -EPROTO;
        if (remaining == 0) /* nothing to do, ignore */
                return 0;
@@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
        data_area_of_target += total_in_buf;
        /* copy second buffer into end of first buffer */
-        memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
        total_in_buf += total_in_buf2;
+        /* is the result too big for the field? */
+        if (total_in_buf > USHRT_MAX)
+                return -EPROTO;
        put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
+        /* fix up the BCC */
        byte_count = get_bcc_le(pTargetSMB);
        byte_count += total_in_buf2;
+        /* is the result too big for the field? */
+        if (byte_count > USHRT_MAX)
+                return -EPROTO;
        put_bcc_le(byte_count, pTargetSMB);
        byte_count = pTargetSMB->smb_buf_length;
        byte_count += total_in_buf2;
+        /* don't allow buffer to overflow */
-        /* BB also add check that we are not beyond maximum buffer size */
+        if (byte_count > CIFSMaxBufSize)
+                return -ENOBUFS;
        pTargetSMB->smb_buf_length = byte_count;
+        memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
        if (remaining == total_in_buf2) {
                cFYI(1, "found the last secondary response");
                return 0; /* we are done */

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 4bc862a80efa..8b75a8ec90b4 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
274	char *data_area_of_target;	274	char *data_area_of_target;
275	char *data_area_of_buf2;	275	char *data_area_of_buf2;
276	int remaining;	276	int remaining;
277	__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;	277	unsigned int byte_count, total_in_buf;
		278	__u16 total_data_size, total_in_buf2;
278		279
279	total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);	280	total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
280		281
@@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
287	remaining = total_data_size - total_in_buf;	288	remaining = total_data_size - total_in_buf;
288		289
289	if (remaining < 0)	290	if (remaining < 0)
290	return -EINVAL;	291	return -EPROTO;
291		292
292	if (remaining == 0) /* nothing to do, ignore */	293	if (remaining == 0) /* nothing to do, ignore */
293	return 0;	294	return 0;
@@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr psecond, struct smb_hdr pTargetSMB)
308	data_area_of_target += total_in_buf;	309	data_area_of_target += total_in_buf;
309		310
310	/* copy second buffer into end of first buffer */	311	/* copy second buffer into end of first buffer */
311	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
312	total_in_buf += total_in_buf2;	312	total_in_buf += total_in_buf2;
		313	/* is the result too big for the field? */
		314	if (total_in_buf > USHRT_MAX)
		315	return -EPROTO;
313	put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);	316	put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
		317
		318	/* fix up the BCC */
314	byte_count = get_bcc_le(pTargetSMB);	319	byte_count = get_bcc_le(pTargetSMB);
315	byte_count += total_in_buf2;	320	byte_count += total_in_buf2;
		321	/* is the result too big for the field? */
		322	if (byte_count > USHRT_MAX)
		323	return -EPROTO;
316	put_bcc_le(byte_count, pTargetSMB);	324	put_bcc_le(byte_count, pTargetSMB);
317		325
318	byte_count = pTargetSMB->smb_buf_length;	326	byte_count = pTargetSMB->smb_buf_length;
319	byte_count += total_in_buf2;	327	byte_count += total_in_buf2;
320		328	/* don't allow buffer to overflow */
321	/* BB also add check that we are not beyond maximum buffer size */	329	if (byte_count > CIFSMaxBufSize)
322		330	return -ENOBUFS;
323	pTargetSMB->smb_buf_length = byte_count;	331	pTargetSMB->smb_buf_length = byte_count;
324		332
		333	memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
		334
325	if (remaining == total_in_buf2) {	335	if (remaining == total_in_buf2) {
326	cFYI(1, "found the last secondary response");	336	cFYI(1, "found the last secondary response");
327	return 0; /* we are done */	337	return 0; /* we are done */