[PATCH] more smbfs buffer overrun fixes

More of the same - some of these guys have stuff after pathname. Overflow checks added.

[PATCH] more smbfs buffer overrun fixes
More of the same - some of these guys have stuff after pathname. Overflow checks added.
93521b61 · Alexander Viro · Linus Torvalds · 3eb2eac7 · 93521b61
Commit 93521b61 authored Feb 19, 2002 by Alexander Viro Committed by Linus Torvalds Feb 19, 2002
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

fs/smbfs/proc.c fs/smbfs/proc.c +14 -0

No files found.
--- a/fs/smbfs/proc.c
+++ b/fs/smbfs/proc.c
@@ -1628,11 +1628,21 @@ smb_proc_readdir_short(struct file *filp, void *dirent, filldir_t filldir,
 			result = smb_simple_encode_path(server, &p, dir, &mask);
 			if (result < 0)
 				goto unlock_return;
+			if (p + 3 > (char*)server->packet+server->packet_size) {
+				result = -ENAMETOOLONG;
+				goto unlock_return;
+			}
 			*p++ = 5;
 			WSET(p, 0, 0);
 			p += 2;
 			first = 0;
 		} else {
+			if (p + 5 + SMB_STATUS_SIZE >
+			    (char*)server->packet + server->packet_size) {
+				result = -ENAMETOOLONG;
+				goto unlock_return;
+			}
+				
 			*p++ = 4;
 			*p++ = 0;
 			*p++ = 5;
@@ -2355,6 +2365,10 @@ smb_proc_setattr_core(struct smb_sb_info *server, struct dentry *dentry,
 	result = smb_simple_encode_path(server, &p, dentry, NULL);
 	if (result < 0)
 		goto out;
+	if (p + 2 > (char *)server->packet + server->packet_size) {
+		result = -ENAMETOOLONG;
+		goto out;
+	}
 	*p++ = 4;
 	*p++ = 0;
 	smb_setup_bcc(server, p);