1 files changed, 126 insertions, 234 deletions
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 941441d3e386..9d17df3e0768 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -170,19 +170,19 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
         * need to prevent multiple threads trying to simultaneously
         * reconnect the same SMB session
         */
-        down(&ses->sesSem);
+        mutex_lock(&ses->session_mutex);
        if (ses->need_reconnect)
                rc = cifs_setup_session(0, ses, nls_codepage);
        /* do we need to reconnect tcon? */
        if (rc || !tcon->need_reconnect) {
-                up(&ses->sesSem);
+                mutex_unlock(&ses->session_mutex);
                goto out;
        }
        mark_open_files_invalid(tcon);
        rc = CIFSTCon(0, ses, tcon->treeName, tcon, nls_codepage);
-        up(&ses->sesSem);
+        mutex_unlock(&ses->session_mutex);
        cFYI(1, ("reconnect tcon rc = %d", rc));
        if (rc)
@@ -700,13 +700,13 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
        if (!ses || !ses->server)
                return -EIO;
-        down(&ses->sesSem);
+        mutex_lock(&ses->session_mutex);
        if (ses->need_reconnect)
                goto session_already_dead; /* no need to send SMBlogoff if uid
                                              already closed due to reconnect */
        rc = small_smb_init(SMB_COM_LOGOFF_ANDX, 2, NULL, (void **)&pSMB);
        if (rc) {
-                up(&ses->sesSem);
+                mutex_unlock(&ses->session_mutex);
                return rc;
        }
@@ -721,7 +721,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
        pSMB->AndXCommand = 0xFF;
        rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
 session_already_dead:
-        up(&ses->sesSem);
+        mutex_unlock(&ses->session_mutex);
        /* if session dead then we do not need to do ulogoff,
                since server closed smb session, no sense reporting
@@ -5269,22 +5269,34 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
        cifs_buf_release(pSMB);
        return rc;
 }
 #ifdef CONFIG_CIFS_XATTR
+/*
+ * Do a path-based QUERY_ALL_EAS call and parse the result. This is a common
+ * function used by listxattr and getxattr type calls. When ea_name is set,
+ * it looks for that attribute name and stuffs that value into the EAData
+ * buffer. When ea_name is NULL, it stuffs a list of attribute names into the
+ * buffer. In both cases, the return value is either the length of the
+ * resulting data or a negative error code. If EAData is a NULL pointer then
+ * the data isn't copied to it, but the length is returned.
+ */
 ssize_t
 CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
-                 const unsigned char *searchName,
+                const unsigned char *searchName, const unsigned char *ea_name,
-                 char *EAData, size_t buf_size,
+                char *EAData, size_t buf_size,
-                 const struct nls_table *nls_codepage, int remap)
+                const struct nls_table *nls_codepage, int remap)
 {
                /* BB assumes one setup word */
        TRANSACTION2_QPI_REQ *pSMB = NULL;
        TRANSACTION2_QPI_RSP *pSMBr = NULL;
        int rc = 0;
        int bytes_returned;
-        int name_len;
+        int list_len;
+        struct fealist *ea_response_data;
        struct fea *temp_fea;
        char *temp_ptr;
-        __u16 params, byte_count;
+        char *end_of_smb;
+        __u16 params, byte_count, data_offset;
        cFYI(1, ("In Query All EAs path %s", searchName));
 QAllEAsRetry:
@@ -5294,22 +5306,22 @@ QAllEAsRetry:
                return rc;
        if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {
-                name_len =
+                list_len =
                    cifsConvertToUCS((__le16 *) pSMB->FileName, searchName,
                                     PATH_MAX, nls_codepage, remap);
-                name_len++;     /* trailing null */
+                list_len++;     /* trailing null */
-                name_len *= 2;
+                list_len *= 2;
        } else {        /* BB improve the check for buffer overruns BB */
-                name_len = strnlen(searchName, PATH_MAX);
+                list_len = strnlen(searchName, PATH_MAX);
-                name_len++;     /* trailing null */
+                list_len++;     /* trailing null */
-                strncpy(pSMB->FileName, searchName, name_len);
+                strncpy(pSMB->FileName, searchName, list_len);
        }
-        params = 2 /* level */ + 4 /* reserved */ + name_len /* includes NUL */;
+        params = 2 /* level */ + 4 /* reserved */ + list_len /* includes NUL */;
        pSMB->TotalDataCount = 0;
        pSMB->MaxParameterCount = cpu_to_le16(2);
        /* BB find exact max SMB PDU from sess structure BB */
-        pSMB->MaxDataCount = cpu_to_le16(4000);
+        pSMB->MaxDataCount = cpu_to_le16(CIFSMaxBufSize);
        pSMB->MaxSetupCount = 0;
        pSMB->Reserved = 0;
        pSMB->Flags = 0;
@@ -5334,237 +5346,117 @@ QAllEAsRetry:
                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
        if (rc) {
                cFYI(1, ("Send error in QueryAllEAs = %d", rc));
-        } else {                /* decode response */
+                goto QAllEAsOut;
-                rc = validate_t2((struct smb_t2_rsp *)pSMBr);
+        }
-                /* BB also check enough total bytes returned */
-                /* BB we need to improve the validity checking
+        /* BB also check enough total bytes returned */
-                of these trans2 responses */
+        /* BB we need to improve the validity checking
-                if (rc || (pSMBr->ByteCount < 4))
+        of these trans2 responses */
-                        rc = -EIO;      /* bad smb */
-           /* else if (pFindData){
+        rc = validate_t2((struct smb_t2_rsp *)pSMBr);
-                        memcpy((char *) pFindData,
+        if (rc || (pSMBr->ByteCount < 4)) {
-                               (char *) &pSMBr->hdr.Protocol +
+                rc = -EIO;      /* bad smb */
-                               data_offset, kl);
+                goto QAllEAsOut;
-                }*/ else {
-                        /* check that length of list is not more than bcc */
-                        /* check that each entry does not go beyond length
-                           of list */
-                        /* check that each element of each entry does not
-                           go beyond end of list */
-                        __u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
-                        struct fealist *ea_response_data;
-                        rc = 0;
-                        /* validate_trans2_offsets() */
-                        /* BB check if start of smb + data_offset > &bcc+ bcc */
-                        ea_response_data = (struct fealist *)
-                                (((char *) &pSMBr->hdr.Protocol) +
-                                data_offset);
-                        name_len = le32_to_cpu(ea_response_data->list_len);
-                        cFYI(1, ("ea length %d", name_len));
-                        if (name_len <= 8) {
-                        /* returned EA size zeroed at top of function */
-                                cFYI(1, ("empty EA list returned from server"));
-                        } else {
-                                /* account for ea list len */
-                                name_len -= 4;
-                                temp_fea = ea_response_data->list;
-                                temp_ptr = (char *)temp_fea;
-                                while (name_len > 0) {
-                                        __u16 value_len;
-                                        name_len -= 4;
-                                        temp_ptr += 4;
-                                        rc += temp_fea->name_len;
-                                /* account for prefix user. and trailing null */
-                                        rc = rc + 5 + 1;
-                                        if (rc < (int)buf_size) {
-                                                memcpy(EAData, "user.", 5);
-                                                EAData += 5;
-                                                memcpy(EAData, temp_ptr,
-                                                       temp_fea->name_len);
-                                                EAData += temp_fea->name_len;
-                                                /* null terminate name */
-                                                *EAData = 0;
-                                                EAData = EAData + 1;
-                                        } else if (buf_size == 0) {
-                                                /* skip copy - calc size only */
-                                        } else {
-                                                /* stop before overrun buffer */
-                                                rc = -ERANGE;
-                                                break;
-                                        }
-                                        name_len -= temp_fea->name_len;
-                                        temp_ptr += temp_fea->name_len;
-                                        /* account for trailing null */
-                                        name_len--;
-                                        temp_ptr++;
-                                        value_len =
-                                              le16_to_cpu(temp_fea->value_len);
-                                        name_len -= value_len;
-                                        temp_ptr += value_len;
-                                        /* BB check that temp_ptr is still
-                                              within the SMB BB*/
-                                        /* no trailing null to account for
-                                           in value len */
-                                        /* go on to next EA */
-                                        temp_fea = (struct fea *)temp_ptr;
-                                }
-                        }
-                }
        }
-        cifs_buf_release(pSMB);
-        if (rc == -EAGAIN)
-                goto QAllEAsRetry;
-        return (ssize_t)rc;
+        /* check that length of list is not more than bcc */
-}
+        /* check that each entry does not go beyond length
+           of list */
+        /* check that each element of each entry does not
+           go beyond end of list */
+        /* validate_trans2_offsets() */
+        /* BB check if start of smb + data_offset > &bcc+ bcc */
-ssize_t CIFSSMBQueryEA(const int xid, struct cifsTconInfo *tcon,
+        data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
-                const unsigned char *searchName, const unsigned char *ea_name,
+        ea_response_data = (struct fealist *)
-                unsigned char *ea_value, size_t buf_size,
+                                (((char *) &pSMBr->hdr.Protocol) + data_offset);
-                const struct nls_table *nls_codepage, int remap)
-{
-        TRANSACTION2_QPI_REQ *pSMB = NULL;
-        TRANSACTION2_QPI_RSP *pSMBr = NULL;
-        int rc = 0;
-        int bytes_returned;
-        int name_len;
-        struct fea *temp_fea;
-        char *temp_ptr;
-        __u16 params, byte_count;
-        cFYI(1, ("In Query EA path %s", searchName));
+        list_len = le32_to_cpu(ea_response_data->list_len);
-QEARetry:
+        cFYI(1, ("ea length %d", list_len));
-        rc = smb_init(SMB_COM_TRANSACTION2, 15, tcon, (void **) &pSMB,
+        if (list_len <= 8) {
-                      (void **) &pSMBr);
+                cFYI(1, ("empty EA list returned from server"));
-        if (rc)
+                goto QAllEAsOut;
-                return rc;
+        }
-        if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {
+        /* make sure list_len doesn't go past end of SMB */
-                name_len =
+        end_of_smb = (char *)pByteArea(&pSMBr->hdr) + BCC(&pSMBr->hdr);
-                    cifsConvertToUCS((__le16 *) pSMB->FileName, searchName,
+        if ((char *)ea_response_data + list_len > end_of_smb) {
-                                     PATH_MAX, nls_codepage, remap);
+                cFYI(1, ("EA list appears to go beyond SMB"));
-                name_len++;     /* trailing null */
+                rc = -EIO;
-                name_len *= 2;
+                goto QAllEAsOut;
-        } else {        /* BB improve the check for buffer overruns BB */
-                name_len = strnlen(searchName, PATH_MAX);
-                name_len++;     /* trailing null */
-                strncpy(pSMB->FileName, searchName, name_len);
        }
-        params = 2 /* level */ + 4 /* reserved */ + name_len /* includes NUL */;
+        /* account for ea list len */
-        pSMB->TotalDataCount = 0;
+        list_len -= 4;
-        pSMB->MaxParameterCount = cpu_to_le16(2);
+        temp_fea = ea_response_data->list;
-        /* BB find exact max SMB PDU from sess structure BB */
+        temp_ptr = (char *)temp_fea;
-        pSMB->MaxDataCount = cpu_to_le16(4000);
+        while (list_len > 0) {
-        pSMB->MaxSetupCount = 0;
+                unsigned int name_len;
-        pSMB->Reserved = 0;
+                __u16 value_len;
-        pSMB->Flags = 0;
-        pSMB->Timeout = 0;
+                list_len -= 4;
-        pSMB->Reserved2 = 0;
+                temp_ptr += 4;
-        pSMB->ParameterOffset = cpu_to_le16(offsetof(
+                /* make sure we can read name_len and value_len */
-                struct smb_com_transaction2_qpi_req, InformationLevel) - 4);
+                if (list_len < 0) {
-        pSMB->DataCount = 0;
+                        cFYI(1, ("EA entry goes beyond length of list"));
-        pSMB->DataOffset = 0;
+                        rc = -EIO;
-        pSMB->SetupCount = 1;
+                        goto QAllEAsOut;
-        pSMB->Reserved3 = 0;
+                }
-        pSMB->SubCommand = cpu_to_le16(TRANS2_QUERY_PATH_INFORMATION);
-        byte_count = params + 1 /* pad */ ;
-        pSMB->TotalParameterCount = cpu_to_le16(params);
-        pSMB->ParameterCount = pSMB->TotalParameterCount;
-        pSMB->InformationLevel = cpu_to_le16(SMB_INFO_QUERY_ALL_EAS);
-        pSMB->Reserved4 = 0;
-        pSMB->hdr.smb_buf_length += byte_count;
-        pSMB->ByteCount = cpu_to_le16(byte_count);
-        rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,
+                name_len = temp_fea->name_len;
-                         (struct smb_hdr *) pSMBr, &bytes_returned, 0);
+                value_len = le16_to_cpu(temp_fea->value_len);
-        if (rc) {
+                list_len -= name_len + 1 + value_len;
-                cFYI(1, ("Send error in Query EA = %d", rc));
+                if (list_len < 0) {
-        } else {                /* decode response */
+                        cFYI(1, ("EA entry goes beyond length of list"));
-                rc = validate_t2((struct smb_t2_rsp *)pSMBr);
+                        rc = -EIO;
+                        goto QAllEAsOut;
+                }
-                /* BB also check enough total bytes returned */
+                if (ea_name) {
-                /* BB we need to improve the validity checking
+                        if (strncmp(ea_name, temp_ptr, name_len) == 0) {
-                of these trans2 responses */
+                                temp_ptr += name_len + 1;
-                if (rc || (pSMBr->ByteCount < 4))
+                                rc = value_len;
-                        rc = -EIO;      /* bad smb */
+                                if (buf_size == 0)
-           /* else if (pFindData){
+                                        goto QAllEAsOut;
-                        memcpy((char *) pFindData,
+                                if ((size_t)value_len > buf_size) {
-                               (char *) &pSMBr->hdr.Protocol +
+                                        rc = -ERANGE;
-                               data_offset, kl);
+                                        goto QAllEAsOut;
-                }*/ else {
-                        /* check that length of list is not more than bcc */
-                        /* check that each entry does not go beyond length
-                           of list */
-                        /* check that each element of each entry does not
-                           go beyond end of list */
-                        __u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
-                        struct fealist *ea_response_data;
-                        rc = -ENODATA;
-                        /* validate_trans2_offsets() */
-                        /* BB check if start of smb + data_offset > &bcc+ bcc*/
-                        ea_response_data = (struct fealist *)
-                                (((char *) &pSMBr->hdr.Protocol) +
-                                data_offset);
-                        name_len = le32_to_cpu(ea_response_data->list_len);
-                        cFYI(1, ("ea length %d", name_len));
-                        if (name_len <= 8) {
-                        /* returned EA size zeroed at top of function */
-                                cFYI(1, ("empty EA list returned from server"));
-                        } else {
-                                /* account for ea list len */
-                                name_len -= 4;
-                                temp_fea = ea_response_data->list;
-                                temp_ptr = (char *)temp_fea;
-                                /* loop through checking if we have a matching
-                                name and then return the associated value */
-                                while (name_len > 0) {
-                                        __u16 value_len;
-                                        name_len -= 4;
-                                        temp_ptr += 4;
-                                        value_len =
-                                              le16_to_cpu(temp_fea->value_len);
-                                /* BB validate that value_len falls within SMB,
-                                even though maximum for name_len is 255 */
-                                        if (memcmp(temp_fea->name, ea_name,
-                                                  temp_fea->name_len) == 0) {
-                                                /* found a match */
-                                                rc = value_len;
-                                /* account for prefix user. and trailing null */
-                                                if (rc <= (int)buf_size) {
-                                                        memcpy(ea_value,
-                                                                temp_fea->name+temp_fea->name_len+1,
-                                                                rc);
-                                                        /* ea values, unlike ea
-                                                           names, are not null
-                                                           terminated */
-                                                } else if (buf_size == 0) {
-                                                /* skip copy - calc size only */
-                                                } else {
-                                                /* stop before overrun buffer */
-                                                        rc = -ERANGE;
-                                                }
-                                                break;
-                                        }
-                                        name_len -= temp_fea->name_len;
-                                        temp_ptr += temp_fea->name_len;
-                                        /* account for trailing null */
-                                        name_len--;
-                                        temp_ptr++;
-                                        name_len -= value_len;
-                                        temp_ptr += value_len;
-                                        /* No trailing null to account for in
-                                           value_len.  Go on to next EA */
-                                        temp_fea = (struct fea *)temp_ptr;
                                }
+                                memcpy(EAData, temp_ptr, value_len);
+                                goto QAllEAsOut;
+                        }
+                } else {
+                        /* account for prefix user. and trailing null */
+                        rc += (5 + 1 + name_len);
+                        if (rc < (int) buf_size) {
+                                memcpy(EAData, "user.", 5);
+                                EAData += 5;
+                                memcpy(EAData, temp_ptr, name_len);
+                                EAData += name_len;
+                                /* null terminate name */
+                                *EAData = 0;
+                                ++EAData;
+                        } else if (buf_size == 0) {
+                                /* skip copy - calc size only */
+                        } else {
+                                /* stop before overrun buffer */
+                                rc = -ERANGE;
+                                break;
                        }
                }
+                temp_ptr += name_len + 1 + value_len;
+                temp_fea = (struct fea *)temp_ptr;
        }
+        /* didn't find the named attribute */
+        if (ea_name)
+                rc = -ENODATA;
+QAllEAsOut:
        cifs_buf_release(pSMB);
        if (rc == -EAGAIN)
-                goto QEARetry;
+                goto QAllEAsRetry;
        return (ssize_t)rc;
 }

diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 941441d3e386..9d17df3e0768 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c
@@ -170,19 +170,19 @@ cifs_reconnect_tcon(struct cifsTconInfo *tcon, int smb_command)
170	* need to prevent multiple threads trying to simultaneously	170	* need to prevent multiple threads trying to simultaneously
171	* reconnect the same SMB session	171	* reconnect the same SMB session
172	*/	172	*/
173	down(&ses->sesSem);	173	mutex_lock(&ses->session_mutex);
174	if (ses->need_reconnect)	174	if (ses->need_reconnect)
175	rc = cifs_setup_session(0, ses, nls_codepage);	175	rc = cifs_setup_session(0, ses, nls_codepage);
176		176
177	/* do we need to reconnect tcon? */	177	/* do we need to reconnect tcon? */
178	if (rc \|\| !tcon->need_reconnect) {	178	if (rc \|\| !tcon->need_reconnect) {
179	up(&ses->sesSem);	179	mutex_unlock(&ses->session_mutex);
180	goto out;	180	goto out;
181	}	181	}
182		182
183	mark_open_files_invalid(tcon);	183	mark_open_files_invalid(tcon);
184	rc = CIFSTCon(0, ses, tcon->treeName, tcon, nls_codepage);	184	rc = CIFSTCon(0, ses, tcon->treeName, tcon, nls_codepage);
185	up(&ses->sesSem);	185	mutex_unlock(&ses->session_mutex);
186	cFYI(1, ("reconnect tcon rc = %d", rc));	186	cFYI(1, ("reconnect tcon rc = %d", rc));
187		187
188	if (rc)	188	if (rc)
@@ -700,13 +700,13 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
700	if (!ses \|\| !ses->server)	700	if (!ses \|\| !ses->server)
701	return -EIO;	701	return -EIO;
702		702
703	down(&ses->sesSem);	703	mutex_lock(&ses->session_mutex);
704	if (ses->need_reconnect)	704	if (ses->need_reconnect)
705	goto session_already_dead; /* no need to send SMBlogoff if uid	705	goto session_already_dead; /* no need to send SMBlogoff if uid
706	already closed due to reconnect */	706	already closed due to reconnect */
707	rc = small_smb_init(SMB_COM_LOGOFF_ANDX, 2, NULL, (void **)&pSMB);	707	rc = small_smb_init(SMB_COM_LOGOFF_ANDX, 2, NULL, (void **)&pSMB);
708	if (rc) {	708	if (rc) {
709	up(&ses->sesSem);	709	mutex_unlock(&ses->session_mutex);
710	return rc;	710	return rc;
711	}	711	}
712		712
@@ -721,7 +721,7 @@ CIFSSMBLogoff(const int xid, struct cifsSesInfo *ses)
721	pSMB->AndXCommand = 0xFF;	721	pSMB->AndXCommand = 0xFF;
722	rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);	722	rc = SendReceiveNoRsp(xid, ses, (struct smb_hdr *) pSMB, 0);
723	session_already_dead:	723	session_already_dead:
724	up(&ses->sesSem);	724	mutex_unlock(&ses->session_mutex);
725		725
726	/* if session dead then we do not need to do ulogoff,	726	/* if session dead then we do not need to do ulogoff,
727	since server closed smb session, no sense reporting	727	since server closed smb session, no sense reporting
@@ -5269,22 +5269,34 @@ int CIFSSMBNotify(const int xid, struct cifsTconInfo *tcon,
5269	cifs_buf_release(pSMB);	5269	cifs_buf_release(pSMB);
5270	return rc;	5270	return rc;
5271	}	5271	}
		5272
5272	#ifdef CONFIG_CIFS_XATTR	5273	#ifdef CONFIG_CIFS_XATTR
		5274	/*
		5275	* Do a path-based QUERY_ALL_EAS call and parse the result. This is a common
		5276	* function used by listxattr and getxattr type calls. When ea_name is set,
		5277	* it looks for that attribute name and stuffs that value into the EAData
		5278	* buffer. When ea_name is NULL, it stuffs a list of attribute names into the
		5279	* buffer. In both cases, the return value is either the length of the
		5280	* resulting data or a negative error code. If EAData is a NULL pointer then
		5281	* the data isn't copied to it, but the length is returned.
		5282	*/
5273	ssize_t	5283	ssize_t
5274	CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,	5284	CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
5275	const unsigned char *searchName,	5285	const unsigned char searchName, const unsigned char ea_name,
5276	char *EAData, size_t buf_size,	5286	char *EAData, size_t buf_size,
5277	const struct nls_table *nls_codepage, int remap)	5287	const struct nls_table *nls_codepage, int remap)
5278	{	5288	{
5279	/* BB assumes one setup word */	5289	/* BB assumes one setup word */
5280	TRANSACTION2_QPI_REQ *pSMB = NULL;	5290	TRANSACTION2_QPI_REQ *pSMB = NULL;
5281	TRANSACTION2_QPI_RSP *pSMBr = NULL;	5291	TRANSACTION2_QPI_RSP *pSMBr = NULL;
5282	int rc = 0;	5292	int rc = 0;
5283	int bytes_returned;	5293	int bytes_returned;
5284	int name_len;	5294	int list_len;
		5295	struct fealist *ea_response_data;
5285	struct fea *temp_fea;	5296	struct fea *temp_fea;
5286	char *temp_ptr;	5297	char *temp_ptr;
5287	__u16 params, byte_count;	5298	char *end_of_smb;
		5299	__u16 params, byte_count, data_offset;
5288		5300
5289	cFYI(1, ("In Query All EAs path %s", searchName));	5301	cFYI(1, ("In Query All EAs path %s", searchName));
5290	QAllEAsRetry:	5302	QAllEAsRetry:
@@ -5294,22 +5306,22 @@ QAllEAsRetry:
5294	return rc;	5306	return rc;
5295		5307
5296	if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {	5308	if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {
5297	name_len =	5309	list_len =
5298	cifsConvertToUCS((__le16 *) pSMB->FileName, searchName,	5310	cifsConvertToUCS((__le16 *) pSMB->FileName, searchName,
5299	PATH_MAX, nls_codepage, remap);	5311	PATH_MAX, nls_codepage, remap);
5300	name_len++; /* trailing null */	5312	list_len++; /* trailing null */
5301	name_len *= 2;	5313	list_len *= 2;
5302	} else { /* BB improve the check for buffer overruns BB */	5314	} else { /* BB improve the check for buffer overruns BB */
5303	name_len = strnlen(searchName, PATH_MAX);	5315	list_len = strnlen(searchName, PATH_MAX);
5304	name_len++; /* trailing null */	5316	list_len++; /* trailing null */
5305	strncpy(pSMB->FileName, searchName, name_len);	5317	strncpy(pSMB->FileName, searchName, list_len);
5306	}	5318	}
5307		5319
5308	params = 2 /* level / + 4 / reserved / + name_len / includes NUL */;	5320	params = 2 /* level / + 4 / reserved / + list_len / includes NUL */;
5309	pSMB->TotalDataCount = 0;	5321	pSMB->TotalDataCount = 0;
5310	pSMB->MaxParameterCount = cpu_to_le16(2);	5322	pSMB->MaxParameterCount = cpu_to_le16(2);
5311	/* BB find exact max SMB PDU from sess structure BB */	5323	/* BB find exact max SMB PDU from sess structure BB */
5312	pSMB->MaxDataCount = cpu_to_le16(4000);	5324	pSMB->MaxDataCount = cpu_to_le16(CIFSMaxBufSize);
5313	pSMB->MaxSetupCount = 0;	5325	pSMB->MaxSetupCount = 0;
5314	pSMB->Reserved = 0;	5326	pSMB->Reserved = 0;
5315	pSMB->Flags = 0;	5327	pSMB->Flags = 0;
@@ -5334,237 +5346,117 @@ QAllEAsRetry:
5334	(struct smb_hdr *) pSMBr, &bytes_returned, 0);	5346	(struct smb_hdr *) pSMBr, &bytes_returned, 0);
5335	if (rc) {	5347	if (rc) {
5336	cFYI(1, ("Send error in QueryAllEAs = %d", rc));	5348	cFYI(1, ("Send error in QueryAllEAs = %d", rc));
5337	} else { /* decode response */	5349	goto QAllEAsOut;
5338	rc = validate_t2((struct smb_t2_rsp *)pSMBr);	5350	}
5339		5351
5340	/* BB also check enough total bytes returned */	5352
5341	/* BB we need to improve the validity checking	5353	/* BB also check enough total bytes returned */
5342	of these trans2 responses */	5354	/* BB we need to improve the validity checking
5343	if (rc \|\| (pSMBr->ByteCount < 4))	5355	of these trans2 responses */
5344	rc = -EIO; /* bad smb */	5356
5345	/* else if (pFindData){	5357	rc = validate_t2((struct smb_t2_rsp *)pSMBr);
5346	memcpy((char *) pFindData,	5358	if (rc \|\| (pSMBr->ByteCount < 4)) {
5347	(char *) &pSMBr->hdr.Protocol +	5359	rc = -EIO; /* bad smb */
5348	data_offset, kl);	5360	goto QAllEAsOut;
5349	}*/ else {
5350	/* check that length of list is not more than bcc */
5351	/* check that each entry does not go beyond length
5352	of list */
5353	/* check that each element of each entry does not
5354	go beyond end of list */
5355	__u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
5356	struct fealist *ea_response_data;
5357	rc = 0;
5358	/* validate_trans2_offsets() */
5359	/* BB check if start of smb + data_offset > &bcc+ bcc */
5360	ea_response_data = (struct fealist *)
5361	(((char *) &pSMBr->hdr.Protocol) +
5362	data_offset);
5363	name_len = le32_to_cpu(ea_response_data->list_len);
5364	cFYI(1, ("ea length %d", name_len));
5365	if (name_len <= 8) {
5366	/* returned EA size zeroed at top of function */
5367	cFYI(1, ("empty EA list returned from server"));
5368	} else {
5369	/* account for ea list len */
5370	name_len -= 4;
5371	temp_fea = ea_response_data->list;
5372	temp_ptr = (char *)temp_fea;
5373	while (name_len > 0) {
5374	__u16 value_len;
5375	name_len -= 4;
5376	temp_ptr += 4;
5377	rc += temp_fea->name_len;
5378	/* account for prefix user. and trailing null */
5379	rc = rc + 5 + 1;
5380	if (rc < (int)buf_size) {
5381	memcpy(EAData, "user.", 5);
5382	EAData += 5;
5383	memcpy(EAData, temp_ptr,
5384	temp_fea->name_len);
5385	EAData += temp_fea->name_len;
5386	/* null terminate name */
5387	*EAData = 0;
5388	EAData = EAData + 1;
5389	} else if (buf_size == 0) {
5390	/* skip copy - calc size only */
5391	} else {
5392	/* stop before overrun buffer */
5393	rc = -ERANGE;
5394	break;
5395	}
5396	name_len -= temp_fea->name_len;
5397	temp_ptr += temp_fea->name_len;
5398	/* account for trailing null */
5399	name_len--;
5400	temp_ptr++;
5401	value_len =
5402	le16_to_cpu(temp_fea->value_len);
5403	name_len -= value_len;
5404	temp_ptr += value_len;
5405	/* BB check that temp_ptr is still
5406	within the SMB BB*/
5407
5408	/* no trailing null to account for
5409	in value len */
5410	/* go on to next EA */
5411	temp_fea = (struct fea *)temp_ptr;
5412	}
5413	}
5414	}
5415	}	5361	}
5416	cifs_buf_release(pSMB);
5417	if (rc == -EAGAIN)
5418	goto QAllEAsRetry;
5419		5362
5420	return (ssize_t)rc;	5363	/* check that length of list is not more than bcc */
5421	}	5364	/* check that each entry does not go beyond length
		5365	of list */
		5366	/* check that each element of each entry does not
		5367	go beyond end of list */
		5368	/* validate_trans2_offsets() */
		5369	/* BB check if start of smb + data_offset > &bcc+ bcc */
5422		5370
5423	ssize_t CIFSSMBQueryEA(const int xid, struct cifsTconInfo *tcon,	5371	data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
5424	const unsigned char searchName, const unsigned char ea_name,	5372	ea_response_data = (struct fealist *)
5425	unsigned char *ea_value, size_t buf_size,	5373	(((char *) &pSMBr->hdr.Protocol) + data_offset);
5426	const struct nls_table *nls_codepage, int remap)
5427	{
5428	TRANSACTION2_QPI_REQ *pSMB = NULL;
5429	TRANSACTION2_QPI_RSP *pSMBr = NULL;
5430	int rc = 0;
5431	int bytes_returned;
5432	int name_len;
5433	struct fea *temp_fea;
5434	char *temp_ptr;
5435	__u16 params, byte_count;
5436		5374
5437	cFYI(1, ("In Query EA path %s", searchName));	5375	list_len = le32_to_cpu(ea_response_data->list_len);
5438	QEARetry:	5376	cFYI(1, ("ea length %d", list_len));
5439	rc = smb_init(SMB_COM_TRANSACTION2, 15, tcon, (void **) &pSMB,	5377	if (list_len <= 8) {
5440	(void **) &pSMBr);	5378	cFYI(1, ("empty EA list returned from server"));
5441	if (rc)	5379	goto QAllEAsOut;
5442	return rc;	5380	}
5443		5381
5444	if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {	5382	/* make sure list_len doesn't go past end of SMB */
5445	name_len =	5383	end_of_smb = (char *)pByteArea(&pSMBr->hdr) + BCC(&pSMBr->hdr);
5446	cifsConvertToUCS((__le16 *) pSMB->FileName, searchName,	5384	if ((char *)ea_response_data + list_len > end_of_smb) {
5447	PATH_MAX, nls_codepage, remap);	5385	cFYI(1, ("EA list appears to go beyond SMB"));
5448	name_len++; /* trailing null */	5386	rc = -EIO;
5449	name_len *= 2;	5387	goto QAllEAsOut;
5450	} else { /* BB improve the check for buffer overruns BB */
5451	name_len = strnlen(searchName, PATH_MAX);
5452	name_len++; /* trailing null */
5453	strncpy(pSMB->FileName, searchName, name_len);
5454	}	5388	}
5455		5389
5456	params = 2 /* level / + 4 / reserved / + name_len / includes NUL */;	5390	/* account for ea list len */
5457	pSMB->TotalDataCount = 0;	5391	list_len -= 4;
5458	pSMB->MaxParameterCount = cpu_to_le16(2);	5392	temp_fea = ea_response_data->list;
5459	/* BB find exact max SMB PDU from sess structure BB */	5393	temp_ptr = (char *)temp_fea;
5460	pSMB->MaxDataCount = cpu_to_le16(4000);	5394	while (list_len > 0) {
5461	pSMB->MaxSetupCount = 0;	5395	unsigned int name_len;
5462	pSMB->Reserved = 0;	5396	__u16 value_len;
5463	pSMB->Flags = 0;	5397
5464	pSMB->Timeout = 0;	5398	list_len -= 4;
5465	pSMB->Reserved2 = 0;	5399	temp_ptr += 4;
5466	pSMB->ParameterOffset = cpu_to_le16(offsetof(	5400	/* make sure we can read name_len and value_len */
5467	struct smb_com_transaction2_qpi_req, InformationLevel) - 4);	5401	if (list_len < 0) {
5468	pSMB->DataCount = 0;	5402	cFYI(1, ("EA entry goes beyond length of list"));
5469	pSMB->DataOffset = 0;	5403	rc = -EIO;
5470	pSMB->SetupCount = 1;	5404	goto QAllEAsOut;
5471	pSMB->Reserved3 = 0;	5405	}
5472	pSMB->SubCommand = cpu_to_le16(TRANS2_QUERY_PATH_INFORMATION);
5473	byte_count = params + 1 /* pad */ ;
5474	pSMB->TotalParameterCount = cpu_to_le16(params);
5475	pSMB->ParameterCount = pSMB->TotalParameterCount;
5476	pSMB->InformationLevel = cpu_to_le16(SMB_INFO_QUERY_ALL_EAS);
5477	pSMB->Reserved4 = 0;
5478	pSMB->hdr.smb_buf_length += byte_count;
5479	pSMB->ByteCount = cpu_to_le16(byte_count);
5480		5406
5481	rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB,	5407	name_len = temp_fea->name_len;
5482	(struct smb_hdr *) pSMBr, &bytes_returned, 0);	5408	value_len = le16_to_cpu(temp_fea->value_len);
5483	if (rc) {	5409	list_len -= name_len + 1 + value_len;
5484	cFYI(1, ("Send error in Query EA = %d", rc));	5410	if (list_len < 0) {
5485	} else { /* decode response */	5411	cFYI(1, ("EA entry goes beyond length of list"));
5486	rc = validate_t2((struct smb_t2_rsp *)pSMBr);	5412	rc = -EIO;
		5413	goto QAllEAsOut;
		5414	}
5487		5415
5488	/* BB also check enough total bytes returned */	5416	if (ea_name) {
5489	/* BB we need to improve the validity checking	5417	if (strncmp(ea_name, temp_ptr, name_len) == 0) {
5490	of these trans2 responses */	5418	temp_ptr += name_len + 1;
5491	if (rc \|\| (pSMBr->ByteCount < 4))	5419	rc = value_len;
5492	rc = -EIO; /* bad smb */	5420	if (buf_size == 0)
5493	/* else if (pFindData){	5421	goto QAllEAsOut;
5494	memcpy((char *) pFindData,	5422	if ((size_t)value_len > buf_size) {
5495	(char *) &pSMBr->hdr.Protocol +	5423	rc = -ERANGE;
5496	data_offset, kl);	5424	goto QAllEAsOut;
5497	}*/ else {
5498	/* check that length of list is not more than bcc */
5499	/* check that each entry does not go beyond length
5500	of list */
5501	/* check that each element of each entry does not
5502	go beyond end of list */
5503	__u16 data_offset = le16_to_cpu(pSMBr->t2.DataOffset);
5504	struct fealist *ea_response_data;
5505	rc = -ENODATA;
5506	/* validate_trans2_offsets() */
5507	/* BB check if start of smb + data_offset > &bcc+ bcc*/
5508	ea_response_data = (struct fealist *)
5509	(((char *) &pSMBr->hdr.Protocol) +
5510	data_offset);
5511	name_len = le32_to_cpu(ea_response_data->list_len);
5512	cFYI(1, ("ea length %d", name_len));
5513	if (name_len <= 8) {
5514	/* returned EA size zeroed at top of function */
5515	cFYI(1, ("empty EA list returned from server"));
5516	} else {
5517	/* account for ea list len */
5518	name_len -= 4;
5519	temp_fea = ea_response_data->list;
5520	temp_ptr = (char *)temp_fea;
5521	/* loop through checking if we have a matching
5522	name and then return the associated value */
5523	while (name_len > 0) {
5524	__u16 value_len;
5525	name_len -= 4;
5526	temp_ptr += 4;
5527	value_len =
5528	le16_to_cpu(temp_fea->value_len);
5529	/* BB validate that value_len falls within SMB,
5530	even though maximum for name_len is 255 */
5531	if (memcmp(temp_fea->name, ea_name,
5532	temp_fea->name_len) == 0) {
5533	/* found a match */
5534	rc = value_len;
5535	/* account for prefix user. and trailing null */
5536	if (rc <= (int)buf_size) {
5537	memcpy(ea_value,
5538	temp_fea->name+temp_fea->name_len+1,
5539	rc);
5540	/* ea values, unlike ea
5541	names, are not null
5542	terminated */
5543	} else if (buf_size == 0) {
5544	/* skip copy - calc size only */
5545	} else {
5546	/* stop before overrun buffer */
5547	rc = -ERANGE;
5548	}
5549	break;
5550	}
5551	name_len -= temp_fea->name_len;
5552	temp_ptr += temp_fea->name_len;
5553	/* account for trailing null */
5554	name_len--;
5555	temp_ptr++;
5556	name_len -= value_len;
5557	temp_ptr += value_len;
5558	/* No trailing null to account for in
5559	value_len. Go on to next EA */
5560	temp_fea = (struct fea *)temp_ptr;
5561	}	5425	}
		5426	memcpy(EAData, temp_ptr, value_len);
		5427	goto QAllEAsOut;
		5428	}
		5429	} else {
		5430	/* account for prefix user. and trailing null */
		5431	rc += (5 + 1 + name_len);
		5432	if (rc < (int) buf_size) {
		5433	memcpy(EAData, "user.", 5);
		5434	EAData += 5;
		5435	memcpy(EAData, temp_ptr, name_len);
		5436	EAData += name_len;
		5437	/* null terminate name */
		5438	*EAData = 0;
		5439	++EAData;
		5440	} else if (buf_size == 0) {
		5441	/* skip copy - calc size only */
		5442	} else {
		5443	/* stop before overrun buffer */
		5444	rc = -ERANGE;
		5445	break;
5562	}	5446	}
5563	}	5447	}
		5448	temp_ptr += name_len + 1 + value_len;
		5449	temp_fea = (struct fea *)temp_ptr;
5564	}	5450	}
		5451
		5452	/* didn't find the named attribute */
		5453	if (ea_name)
		5454	rc = -ENODATA;
		5455
		5456	QAllEAsOut:
5565	cifs_buf_release(pSMB);	5457	cifs_buf_release(pSMB);
5566	if (rc == -EAGAIN)	5458	if (rc == -EAGAIN)
5567	goto QEARetry;	5459	goto QAllEAsRetry;
5568		5460
5569	return (ssize_t)rc;	5461	return (ssize_t)rc;
5570	}	5462	}