cifs: sanitize length checking in coalesce_t2 (try #3)
There are a couple of places in this code where these values can wrap or go negative, and that could potentially end up overflowing the buffer. Ensure that that doesn't happen. Do all of the length calculation and checks first, and only perform the memcpy after they pass. Also, increase some stack variables to 32 bits to ensure that they don't wrap without being detected. Finally, change the error codes to be a bit more descriptive of any problems detected. -EINVAL isn't very accurate. Cc: stable@kernel.org Reported-and-Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
fcda7f4578
commit
2a2047bc94
|
@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
char *data_area_of_target;
|
char *data_area_of_target;
|
||||||
char *data_area_of_buf2;
|
char *data_area_of_buf2;
|
||||||
int remaining;
|
int remaining;
|
||||||
__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
|
unsigned int byte_count, total_in_buf;
|
||||||
|
__u16 total_data_size, total_in_buf2;
|
||||||
|
|
||||||
total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
|
total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
|
||||||
|
|
||||||
|
@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
remaining = total_data_size - total_in_buf;
|
remaining = total_data_size - total_in_buf;
|
||||||
|
|
||||||
if (remaining < 0)
|
if (remaining < 0)
|
||||||
return -EINVAL;
|
return -EPROTO;
|
||||||
|
|
||||||
if (remaining == 0) /* nothing to do, ignore */
|
if (remaining == 0) /* nothing to do, ignore */
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -308,20 +309,29 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
data_area_of_target += total_in_buf;
|
data_area_of_target += total_in_buf;
|
||||||
|
|
||||||
/* copy second buffer into end of first buffer */
|
/* copy second buffer into end of first buffer */
|
||||||
memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
|
|
||||||
total_in_buf += total_in_buf2;
|
total_in_buf += total_in_buf2;
|
||||||
|
/* is the result too big for the field? */
|
||||||
|
if (total_in_buf > USHRT_MAX)
|
||||||
|
return -EPROTO;
|
||||||
put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
|
put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
|
||||||
|
|
||||||
|
/* fix up the BCC */
|
||||||
byte_count = get_bcc_le(pTargetSMB);
|
byte_count = get_bcc_le(pTargetSMB);
|
||||||
byte_count += total_in_buf2;
|
byte_count += total_in_buf2;
|
||||||
|
/* is the result too big for the field? */
|
||||||
|
if (byte_count > USHRT_MAX)
|
||||||
|
return -EPROTO;
|
||||||
put_bcc_le(byte_count, pTargetSMB);
|
put_bcc_le(byte_count, pTargetSMB);
|
||||||
|
|
||||||
byte_count = pTargetSMB->smb_buf_length;
|
byte_count = pTargetSMB->smb_buf_length;
|
||||||
byte_count += total_in_buf2;
|
byte_count += total_in_buf2;
|
||||||
|
/* don't allow buffer to overflow */
|
||||||
/* BB also add check that we are not beyond maximum buffer size */
|
if (byte_count > CIFSMaxBufSize)
|
||||||
|
return -ENOBUFS;
|
||||||
pTargetSMB->smb_buf_length = byte_count;
|
pTargetSMB->smb_buf_length = byte_count;
|
||||||
|
|
||||||
|
memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
|
||||||
|
|
||||||
if (remaining == total_in_buf2) {
|
if (remaining == total_in_buf2) {
|
||||||
cFYI(1, "found the last secondary response");
|
cFYI(1, "found the last secondary response");
|
||||||
return 0; /* we are done */
|
return 0; /* we are done */
|
||||||
|
|
Loading…
Reference in New Issue