lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[CIFS] Fix buffer overflow if server sends corrupt response to small

Browse Source 
request

In SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.  There are eight callers
(SMB worker functions) which are primarily affected by this change:

TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
Lock and PosixLock

CC: Dave Kleikamp <shaggy@austin.ibm.com>
CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
Steve French
2007-11-13 22:41:37 +00:00
parent 9418d5dc9b
commit 133672efbc
7 changed files with 134 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
fs/cifs/file.c
View File

@@ -835,9 +835,9 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
xid = GetXid();
if (*poffset > file->f_path.dentry->d_inode->i_size)
long_op = 2; /* writes past end of file can take a long time */
long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
else
long_op = 1;
long_op = CIFS_LONG_OP;
for (total_written = 0; write_size > total_written;
total_written += bytes_written) {
@@ -884,7 +884,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
}
} else
*poffset += bytes_written;
long_op = FALSE; /* subsequent writes fast -
long_op = CIFS_STD_OP; /* subsequent writes fast -
15 seconds is plenty */
}
@@ -934,9 +934,9 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
xid = GetXid();
if (*poffset > file->f_path.dentry->d_inode->i_size)
long_op = 2; /* writes past end of file can take a long time */
long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
else
long_op = 1;
long_op = CIFS_LONG_OP;
for (total_written = 0; write_size > total_written;
total_written += bytes_written) {
@@ -1002,7 +1002,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
}
} else
*poffset += bytes_written;
long_op = FALSE; /* subsequent writes fast -
long_op = CIFS_STD_OP; /* subsequent writes fast -
15 seconds is plenty */
}
@@ -1360,7 +1360,7 @@ retry:
open_file->netfid,
bytes_to_write, offset,
&bytes_written, iov, n_iov,
1);
CIFS_LONG_OP);
atomic_dec(&open_file->wrtPending);
if (rc || bytes_written < bytes_to_write) {
cERROR(1, ("Write2 ret %d, wrote %d",