When processing a SMB2 QUERY_DIRECTORY request,
smb2_populate_readdir_entry() is called first to fill the dot/dotdot
entries. This moves the d_info->wptr pointer but out_buf_len remains
unchanged. As a result, reserve_populate_dentry() may end up writing
past the end of the buffer since the bounds checking is done on
invalid values.
Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>