commit 26ec254869c0158ea8db6de83b7644e2d93cac2a · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

cifs: fix unaligned access in check2ndT2 and coalesce_t2

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Pavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

authored by Jeff Layton and committed by Steve French 15 years ago 26ec2548 12df83c9

+14 -19

1 changed file

expand all

unified split

cifs

connect.c

+14 -19

fs/cifs/connect.c

··· 232 232 static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize) 233 233 { 234 234 struct smb_t2_rsp *pSMBt; 235 - int total_data_size; 236 - int data_in_this_rsp; 237 235 int remaining; 236 + __u16 total_data_size, data_in_this_rsp; 238 237 239 238 if (pSMB->Command != SMB_COM_TRANSACTION2) 240 239 return 0; ··· 247 248 248 249 pSMBt = (struct smb_t2_rsp *)pSMB; 249 250 250 - total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); 251 - data_in_this_rsp = le16_to_cpu(pSMBt->t2_rsp.DataCount); 251 + total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount); 252 + data_in_this_rsp = get_unaligned_le16(&pSMBt->t2_rsp.DataCount); 252 253 253 254 remaining = total_data_size - data_in_this_rsp; 254 255 ··· 274 275 { 275 276 struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond; 276 277 struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB; 277 - int total_data_size; 278 - int total_in_buf; 279 - int remaining; 280 - int total_in_buf2; 281 278 char *data_area_of_target; 282 279 char *data_area_of_buf2; 283 - __u16 byte_count; 280 + int remaining; 281 + __u16 byte_count, total_data_size, total_in_buf, total_in_buf2; 284 282 285 - total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); 283 + total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount); 286 284 287 - if (total_data_size != le16_to_cpu(pSMB2->t2_rsp.TotalDataCount)) { 285 + if (total_data_size != 286 + get_unaligned_le16(&pSMB2->t2_rsp.TotalDataCount)) 288 287 cFYI(1, "total data size of primary and secondary t2 differ"); 289 - } 290 288 291 - total_in_buf = le16_to_cpu(pSMBt->t2_rsp.DataCount); 289 + total_in_buf = get_unaligned_le16(&pSMBt->t2_rsp.DataCount); 292 290 293 291 remaining = total_data_size - total_in_buf; 294 292 ··· 295 299 if (remaining == 0) /* nothing to do, ignore */ 296 300 return 0; 297 301 298 - total_in_buf2 = le16_to_cpu(pSMB2->t2_rsp.DataCount); 302 + total_in_buf2 = get_unaligned_le16(&pSMB2->t2_rsp.DataCount); 299 303 if (remaining < total_in_buf2) { 300 304 cFYI(1, "transact2 2nd response contains too much data"); 301 305 } 302 306 303 307 /* find end of first SMB data area */ 304 308 data_area_of_target = (char *)&pSMBt->hdr.Protocol + 305 - le16_to_cpu(pSMBt->t2_rsp.DataOffset); 309 + get_unaligned_le16(&pSMBt->t2_rsp.DataOffset); 306 310 /* validate target area */ 307 311 308 - data_area_of_buf2 = (char *) &pSMB2->hdr.Protocol + 309 - le16_to_cpu(pSMB2->t2_rsp.DataOffset); 312 + data_area_of_buf2 = (char *)&pSMB2->hdr.Protocol + 313 + get_unaligned_le16(&pSMB2->t2_rsp.DataOffset); 310 314 311 315 data_area_of_target += total_in_buf; 312 316 313 317 /* copy second buffer into end of first buffer */ 314 318 memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); 315 319 total_in_buf += total_in_buf2; 316 - pSMBt->t2_rsp.DataCount = cpu_to_le16(total_in_buf); 320 + put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount); 317 321 byte_count = get_bcc_le(pTargetSMB); 318 322 byte_count += total_in_buf2; 319 323 put_bcc_le(byte_count, pTargetSMB); ··· 330 334 return 0; /* we are done */ 331 335 } else /* more responses to go */ 332 336 return 1; 333 - 334 337 } 335 338 336 339 static void