Commit a1aa2098 authored by Stefan Esser's avatar Stefan Esser Committed by Linus Torvalds

[PATCH] smbfs protocol fixes

From: <Urban.Widmark@enlight.net>

The memset is because it was previously possible to send always the same CIFS
fragment and use this to increase the data counters.  When the data counter
"exceeds" the amount of bytes expected this will return the buffer only
partially initialised...  With findfirst etc requests this should allow
leaking kernel memory content.

The other thing is that the data is only returned when data_tot and parm_tot
both "exceed" the expected values.  Previously it was possible to create a
sequence of CIFS fragments that allowed exceeding the counters.  The calling
functions then would believe they received a number of bytes that does not fit
into the allocated buffer.
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent fcb4b9ea
...@@ -634,6 +634,7 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req) ...@@ -634,6 +634,7 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req)
req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
if (!req->rq_trans2buffer) if (!req->rq_trans2buffer)
goto out_no_mem; goto out_no_mem;
memset(req->rq_trans2buffer, 0, buf_len);
req->rq_parm = req->rq_trans2buffer; req->rq_parm = req->rq_trans2buffer;
req->rq_data = req->rq_trans2buffer + parm_tot; req->rq_data = req->rq_trans2buffer + parm_tot;
...@@ -657,8 +658,11 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req) ...@@ -657,8 +658,11 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req)
* Check whether we've received all of the data. Note that * Check whether we've received all of the data. Note that
* we use the packet totals -- total lengths might shrink! * we use the packet totals -- total lengths might shrink!
*/ */
if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
req->rq_ldata = data_tot;
req->rq_lparm = parm_tot;
return 0; return 0;
}
return 1; return 1;
out_too_long: out_too_long:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment