cifs: clean up unaligned accesses in validate_t2
...and clean up function to reduce indentation. Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Pavel Shilovsky <piastryyy@gmail.com> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
690c522fa5
commit
12df83c9b9
|
@ -331,31 +331,33 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon,
|
||||||
|
|
||||||
static int validate_t2(struct smb_t2_rsp *pSMB)
|
static int validate_t2(struct smb_t2_rsp *pSMB)
|
||||||
{
|
{
|
||||||
int rc = -EINVAL;
|
unsigned int total_size;
|
||||||
int total_size;
|
|
||||||
|
/* check for plausible wct */
|
||||||
|
if (pSMB->hdr.WordCount < 10)
|
||||||
|
goto vt2_err;
|
||||||
|
|
||||||
/* check for plausible wct, bcc and t2 data and parm sizes */
|
|
||||||
/* check for parm and data offset going beyond end of smb */
|
/* check for parm and data offset going beyond end of smb */
|
||||||
if (pSMB->hdr.WordCount >= 10) {
|
if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 ||
|
||||||
if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) &&
|
get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
|
||||||
(le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) {
|
goto vt2_err;
|
||||||
|
|
||||||
/* check that bcc is at least as big as parms + data */
|
/* check that bcc is at least as big as parms + data */
|
||||||
/* check that bcc is less than negotiated smb buffer */
|
/* check that bcc is less than negotiated smb buffer */
|
||||||
total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount);
|
total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
|
||||||
if (total_size < 512) {
|
if (total_size >= 512)
|
||||||
total_size +=
|
goto vt2_err;
|
||||||
le16_to_cpu(pSMB->t2_rsp.DataCount);
|
|
||||||
if (total_size <= get_bcc(&pSMB->hdr) &&
|
total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
|
||||||
total_size <
|
if (total_size > get_bcc(&pSMB->hdr) ||
|
||||||
CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
|
total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
|
||||||
|
goto vt2_err;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
vt2_err:
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
|
cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
|
||||||
sizeof(struct smb_t2_rsp) + 16);
|
sizeof(struct smb_t2_rsp) + 16);
|
||||||
return rc;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|
Loading…
Reference in New Issue