Commit a8484fc3 authored by Steve French's avatar Steve French Committed by Jiri Slaby

Fix corrupt SMB2 ioctl requests

commit 7ff8d45c upstream.

We were off by one calculating the length of ioctls in some cases
because the protocol specification for SMB2 ioctl includes a mininum
one byte payload but not all SMB2 ioctl requests actually have
a data buffer to send. We were also not zeroing out the
return buffer (in case of error this is helpful).
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent 266ed50f
......@@ -1228,6 +1228,7 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
cifs_dbg(FYI, "SMB2 IOCTL\n");
*out_data = NULL;
/* zero out returned data len, in case of error */
if (plen)
*plen = 0;
......@@ -1273,11 +1274,23 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
req->Flags = 0;
iov[0].iov_base = (char *)req;
/* 4 for rfc1002 length field */
/*
* If no input data, the size of ioctl struct in
* protocol spec still includes a 1 byte data buffer,
* but if input data passed to ioctl, we do not
* want to double count this, so we do not send
* the dummy one byte of data in iovec[0] if sending
* input data (in iovec[1]). We also must add 4 bytes
* in first iovec to allow for rfc1002 length field.
*/
if (indatalen) {
iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;
inc_rfc1001_len(req, indatalen - 1);
} else
iov[0].iov_len = get_rfc1002_length(req) + 4;
if (indatalen)
inc_rfc1001_len(req, indatalen);
rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment