• Jeff Layton's avatar
    smbfs: fix calculation of kernel_recvmsg size parameter in smb_receive() · ce88cc5e
    Jeff Layton authored
    smb_receive calls kernel_recvmsg with a size that's the minimum of the
    amount of buffer space in the kvec passed in or req->rq_rlen (which
    represents the length of the response).  This does not take into account
    any data that was read in a request earlier pass through smb_receive.
    
    If the first pass through smb_receive receives some but not all of the
    response, then the next pass can call kernel_recvmsg with a size field
    that's too big.  kernel_recvmsg can overrun into the next response,
    throwing off the alignment and making it unrecognizable.
    
    This causes messages like this to pop up in the ring buffer:
    
    smb_get_length: Invalid NBT packet, code=69
    
    as well as other errors indicating that the response is unrecognizable.
    Typically this is seen on a smbfs mount under heavy I/O.
    
    This patch changes the code to use (req->rq_rlen - req->rq_bytes_recvd)
    instead instead of just req->rq_rlen, since that should represent the
    amount of unread data in the response.
    
    I think this is correct, but an ACK or NACK from someone more familiar
    with this code would be appreciated...
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    ce88cc5e
sock.c 7.84 KB