Commit 32670396 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French

cifs: prevent possible memory corruption in cifs_demultiplex_thread

cifs_demultiplex_thread sets the addr.sockAddr.sin_port without any
regard for the socket family. While it may be that the error in question
here never occurs on an IPv6 socket, it's probably best to be safe and
set the port properly if it ever does.

Break the port setting code out of cifs_fill_sockaddr and into a new
function, and call that from cifs_demultiplex_thread.
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 7332f2a6
...@@ -87,8 +87,9 @@ extern unsigned int smbCalcSize_LE(struct smb_hdr *ptr); ...@@ -87,8 +87,9 @@ extern unsigned int smbCalcSize_LE(struct smb_hdr *ptr);
extern int decode_negTokenInit(unsigned char *security_blob, int length, extern int decode_negTokenInit(unsigned char *security_blob, int length,
struct TCP_Server_Info *server); struct TCP_Server_Info *server);
extern int cifs_convert_address(struct sockaddr *dst, const char *src, int len); extern int cifs_convert_address(struct sockaddr *dst, const char *src, int len);
extern int cifs_set_port(struct sockaddr *addr, const unsigned short int port);
extern int cifs_fill_sockaddr(struct sockaddr *dst, const char *src, int len, extern int cifs_fill_sockaddr(struct sockaddr *dst, const char *src, int len,
unsigned short int port); const unsigned short int port);
extern int map_smb_to_linux_error(struct smb_hdr *smb, int logErr); extern int map_smb_to_linux_error(struct smb_hdr *smb, int logErr);
extern void header_assemble(struct smb_hdr *, char /* command */ , extern void header_assemble(struct smb_hdr *, char /* command */ ,
const struct cifsTconInfo *, int /* length of const struct cifsTconInfo *, int /* length of
......
...@@ -463,7 +463,8 @@ cifs_demultiplex_thread(struct TCP_Server_Info *server) ...@@ -463,7 +463,8 @@ cifs_demultiplex_thread(struct TCP_Server_Info *server)
* is since we do not begin with RFC1001 session * is since we do not begin with RFC1001 session
* initialize frame) * initialize frame)
*/ */
server->addr.sockAddr.sin_port = htons(CIFS_PORT); cifs_set_port((struct sockaddr *)
&server->addr.sockAddr, CIFS_PORT);
cifs_reconnect(server); cifs_reconnect(server);
csocket = server->ssocket; csocket = server->ssocket;
wake_up(&server->response_q); wake_up(&server->response_q);
......
...@@ -206,26 +206,30 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len) ...@@ -206,26 +206,30 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
} }
int int
cifs_fill_sockaddr(struct sockaddr *dst, const char *src, int len, cifs_set_port(struct sockaddr *addr, const unsigned short int port)
const unsigned short int port)
{ {
if (!cifs_convert_address(dst, src, len)) switch (addr->sa_family) {
return 0;
switch (dst->sa_family) {
case AF_INET: case AF_INET:
((struct sockaddr_in *)dst)->sin_port = htons(port); ((struct sockaddr_in *)addr)->sin_port = htons(port);
break; break;
case AF_INET6: case AF_INET6:
((struct sockaddr_in6 *)dst)->sin6_port = htons(port); ((struct sockaddr_in6 *)addr)->sin6_port = htons(port);
break; break;
default: default:
return 0; return 0;
} }
return 1; return 1;
} }
int
cifs_fill_sockaddr(struct sockaddr *dst, const char *src, int len,
const unsigned short int port)
{
if (!cifs_convert_address(dst, src, len))
return 0;
return cifs_set_port(dst, port);
}
/***************************************************************************** /*****************************************************************************
convert a NT status code to a dos class/code convert a NT status code to a dos class/code
*****************************************************************************/ *****************************************************************************/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment