1 files changed, 7 insertions, 4 deletions

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index d85efad5765f..551d0c2b9736 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -246,16 +246,15 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
         /* copy user */
         /* BB what about null user mounts - check that we do this BB */
         /* copy user */
-        if (ses->user_name != NULL)
+        if (ses->user_name != NULL) {
                 strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE);
+                bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
+        }
         /* else null user mount */
-
-        bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE);
         *bcc_ptr = 0;
         bcc_ptr++; /* account for null termination */
 
         /* copy domain */
-
         if (ses->domainName != NULL) {
                 strncpy(bcc_ptr, ses->domainName, 256);
                 bcc_ptr += strnlen(ses->domainName, 256);
@@ -395,6 +394,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len,
         ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags);
         tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset);
         tilen = le16_to_cpu(pblob->TargetInfoArray.Length);
+        if (tioffset > blob_len || tioffset + tilen > blob_len) {
+                cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen);
+                return -EINVAL;
+        }
         if (tilen) {
                 ses->auth_key.response = kmalloc(tilen, GFP_KERNEL);
                 if (!ses->auth_key.response) {