cifs: fix unaligned access in check2ndT2 and coalesce_t2
Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Pavel Shilovsky <piastryyy@gmail.com> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
Jeff Layton
Steve French
parent
12df83c9b9
commit
26ec254869
|
|
@ -232,9 +232,8 @@ cifs_reconnect(struct TCP_Server_Info *server)
|
||||||
static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
|
static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
|
||||||
{
|
{
|
||||||
struct smb_t2_rsp *pSMBt;
|
struct smb_t2_rsp *pSMBt;
|
||||||
int total_data_size;
|
|
||||||
int data_in_this_rsp;
|
|
||||||
int remaining;
|
int remaining;
|
||||||
|
__u16 total_data_size, data_in_this_rsp;
|
||||||
|
|
||||||
if (pSMB->Command != SMB_COM_TRANSACTION2)
|
if (pSMB->Command != SMB_COM_TRANSACTION2)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -248,8 +247,8 @@ static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
|
||||||
|
|
||||||
pSMBt = (struct smb_t2_rsp *)pSMB;
|
pSMBt = (struct smb_t2_rsp *)pSMB;
|
||||||
|
|
||||||
total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount);
|
total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
|
||||||
data_in_this_rsp = le16_to_cpu(pSMBt->t2_rsp.DataCount);
|
data_in_this_rsp = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
|
||||||
|
|
||||||
remaining = total_data_size - data_in_this_rsp;
|
remaining = total_data_size - data_in_this_rsp;
|
||||||
|
|
||||||
|
|
@ -275,21 +274,18 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
{
|
{
|
||||||
struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond;
|
struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond;
|
||||||
struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB;
|
struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB;
|
||||||
int total_data_size;
|
|
||||||
int total_in_buf;
|
|
||||||
int remaining;
|
|
||||||
int total_in_buf2;
|
|
||||||
char *data_area_of_target;
|
char *data_area_of_target;
|
||||||
char *data_area_of_buf2;
|
char *data_area_of_buf2;
|
||||||
__u16 byte_count;
|
int remaining;
|
||||||
|
__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
|
||||||
|
|
||||||
total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount);
|
total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
|
||||||
|
|
||||||
if (total_data_size != le16_to_cpu(pSMB2->t2_rsp.TotalDataCount)) {
|
if (total_data_size !=
|
||||||
|
get_unaligned_le16(&pSMB2->t2_rsp.TotalDataCount))
|
||||||
cFYI(1, "total data size of primary and secondary t2 differ");
|
cFYI(1, "total data size of primary and secondary t2 differ");
|
||||||
}
|
|
||||||
|
|
||||||
total_in_buf = le16_to_cpu(pSMBt->t2_rsp.DataCount);
|
total_in_buf = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
|
||||||
|
|
||||||
remaining = total_data_size - total_in_buf;
|
remaining = total_data_size - total_in_buf;
|
||||||
|
|
||||||
|
|
@ -299,25 +295,25 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
if (remaining == 0) /* nothing to do, ignore */
|
if (remaining == 0) /* nothing to do, ignore */
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
total_in_buf2 = le16_to_cpu(pSMB2->t2_rsp.DataCount);
|
total_in_buf2 = get_unaligned_le16(&pSMB2->t2_rsp.DataCount);
|
||||||
if (remaining < total_in_buf2) {
|
if (remaining < total_in_buf2) {
|
||||||
cFYI(1, "transact2 2nd response contains too much data");
|
cFYI(1, "transact2 2nd response contains too much data");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* find end of first SMB data area */
|
/* find end of first SMB data area */
|
||||||
data_area_of_target = (char *)&pSMBt->hdr.Protocol +
|
data_area_of_target = (char *)&pSMBt->hdr.Protocol +
|
||||||
le16_to_cpu(pSMBt->t2_rsp.DataOffset);
|
get_unaligned_le16(&pSMBt->t2_rsp.DataOffset);
|
||||||
/* validate target area */
|
/* validate target area */
|
||||||
|
|
||||||
data_area_of_buf2 = (char *) &pSMB2->hdr.Protocol +
|
data_area_of_buf2 = (char *)&pSMB2->hdr.Protocol +
|
||||||
le16_to_cpu(pSMB2->t2_rsp.DataOffset);
|
get_unaligned_le16(&pSMB2->t2_rsp.DataOffset);
|
||||||
|
|
||||||
data_area_of_target += total_in_buf;
|
data_area_of_target += total_in_buf;
|
||||||
|
|
||||||
/* copy second buffer into end of first buffer */
|
/* copy second buffer into end of first buffer */
|
||||||
memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
|
memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
|
||||||
total_in_buf += total_in_buf2;
|
total_in_buf += total_in_buf2;
|
||||||
pSMBt->t2_rsp.DataCount = cpu_to_le16(total_in_buf);
|
put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
|
||||||
byte_count = get_bcc_le(pTargetSMB);
|
byte_count = get_bcc_le(pTargetSMB);
|
||||||
byte_count += total_in_buf2;
|
byte_count += total_in_buf2;
|
||||||
put_bcc_le(byte_count, pTargetSMB);
|
put_bcc_le(byte_count, pTargetSMB);
|
||||||
|
|
@ -334,7 +330,6 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
|
||||||
return 0; /* we are done */
|
return 0; /* we are done */
|
||||||
} else /* more responses to go */
|
} else /* more responses to go */
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue