1 files changed, 24 insertions, 6 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 161f24ca4f6e..8d6c17ab593d 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -586,11 +586,20 @@ incomplete_rcv:
                total_read += 4; /* account for rfc1002 hdr */
                dump_smb(smb_buffer, total_read);
-                if (checkSMB(smb_buffer, smb_buffer->Mid, total_read)) {
+                /*
+                 * We know that we received enough to get to the MID as we
+                 * checked the pdu_length earlier. Now check to see
+                 * if the rest of the header is OK. We borrow the length
+                 * var for the rest of the loop to avoid a new stack var.
+                 *
+                 * 48 bytes is enough to display the header and a little bit
+                 * into the payload for debugging purposes.
+                 */
+                length = checkSMB(smb_buffer, smb_buffer->Mid, total_read);
+                if (length != 0)
                        cifs_dump_mem("Bad SMB: ", smb_buffer,
-                                        total_read < 48 ? total_read : 48);
+                                        min_t(unsigned int, total_read, 48));
-                        continue;
-                }
                mid_entry = NULL;
                server->lstrp = jiffies;
@@ -602,7 +611,8 @@ incomplete_rcv:
                        if ((mid_entry->mid == smb_buffer->Mid) &&
                            (mid_entry->midState == MID_REQUEST_SUBMITTED) &&
                            (mid_entry->command == smb_buffer->Command)) {
-                                if (check2ndT2(smb_buffer,server->maxBuf) > 0) {
+                                if (length == 0 &&
+                                   check2ndT2(smb_buffer, server->maxBuf) > 0) {
                                        /* We have a multipart transact2 resp */
                                        isMultiRsp = true;
                                        if (mid_entry->resp_buf) {
@@ -637,7 +647,12 @@ incomplete_rcv:
                                mid_entry->resp_buf = smb_buffer;
                                mid_entry->largeBuf = isLargeBuf;
 multi_t2_fnd:
-                                mid_entry->midState = MID_RESPONSE_RECEIVED;
+                                if (length == 0)
+                                        mid_entry->midState =
+                                                        MID_RESPONSE_RECEIVED;
+                                else
+                                        mid_entry->midState =
+                                                        MID_RESPONSE_MALFORMED;
 #ifdef CONFIG_CIFS_STATS2
                                mid_entry->when_received = jiffies;
 #endif
@@ -658,6 +673,9 @@ multi_t2_fnd:
                                else
                                        smallbuf = NULL;
                        }
+                } else if (length != 0) {
+                        /* response sanity checks failed */
+                        continue;
                } else if (!is_valid_oplock_break(smb_buffer, server) &&
                           !isMultiRsp) {
                        cERROR(1, "No task to wake, unknown frame received! "

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 161f24ca4f6e..8d6c17ab593d 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -586,11 +586,20 @@ incomplete_rcv:
586	total_read += 4; /* account for rfc1002 hdr */	586	total_read += 4; /* account for rfc1002 hdr */
587		587
588	dump_smb(smb_buffer, total_read);	588	dump_smb(smb_buffer, total_read);
589	if (checkSMB(smb_buffer, smb_buffer->Mid, total_read)) {	589
		590	/*
		591	* We know that we received enough to get to the MID as we
		592	* checked the pdu_length earlier. Now check to see
		593	* if the rest of the header is OK. We borrow the length
		594	* var for the rest of the loop to avoid a new stack var.
		595	*
		596	* 48 bytes is enough to display the header and a little bit
		597	* into the payload for debugging purposes.
		598	*/
		599	length = checkSMB(smb_buffer, smb_buffer->Mid, total_read);
		600	if (length != 0)
590	cifs_dump_mem("Bad SMB: ", smb_buffer,	601	cifs_dump_mem("Bad SMB: ", smb_buffer,
591	total_read < 48 ? total_read : 48);	602	min_t(unsigned int, total_read, 48));
592	continue;
593	}
594		603
595	mid_entry = NULL;	604	mid_entry = NULL;
596	server->lstrp = jiffies;	605	server->lstrp = jiffies;
@@ -602,7 +611,8 @@ incomplete_rcv:
602	if ((mid_entry->mid == smb_buffer->Mid) &&	611	if ((mid_entry->mid == smb_buffer->Mid) &&
603	(mid_entry->midState == MID_REQUEST_SUBMITTED) &&	612	(mid_entry->midState == MID_REQUEST_SUBMITTED) &&
604	(mid_entry->command == smb_buffer->Command)) {	613	(mid_entry->command == smb_buffer->Command)) {
605	if (check2ndT2(smb_buffer,server->maxBuf) > 0) {	614	if (length == 0 &&
		615	check2ndT2(smb_buffer, server->maxBuf) > 0) {
606	/* We have a multipart transact2 resp */	616	/* We have a multipart transact2 resp */
607	isMultiRsp = true;	617	isMultiRsp = true;
608	if (mid_entry->resp_buf) {	618	if (mid_entry->resp_buf) {
@@ -637,7 +647,12 @@ incomplete_rcv:
637	mid_entry->resp_buf = smb_buffer;	647	mid_entry->resp_buf = smb_buffer;
638	mid_entry->largeBuf = isLargeBuf;	648	mid_entry->largeBuf = isLargeBuf;
639	multi_t2_fnd:	649	multi_t2_fnd:
640	mid_entry->midState = MID_RESPONSE_RECEIVED;	650	if (length == 0)
		651	mid_entry->midState =
		652	MID_RESPONSE_RECEIVED;
		653	else
		654	mid_entry->midState =
		655	MID_RESPONSE_MALFORMED;
641	#ifdef CONFIG_CIFS_STATS2	656	#ifdef CONFIG_CIFS_STATS2
642	mid_entry->when_received = jiffies;	657	mid_entry->when_received = jiffies;
643	#endif	658	#endif
@@ -658,6 +673,9 @@ multi_t2_fnd:
658	else	673	else
659	smallbuf = NULL;	674	smallbuf = NULL;
660	}	675	}
		676	} else if (length != 0) {
		677	/* response sanity checks failed */
		678	continue;
661	} else if (!is_valid_oplock_break(smb_buffer, server) &&	679	} else if (!is_valid_oplock_break(smb_buffer, server) &&
662	!isMultiRsp) {	680	!isMultiRsp) {
663	cERROR(1, "No task to wake, unknown frame received! "	681	cERROR(1, "No task to wake, unknown frame received! "