commit fcda7f4578bbf9717444ca6da8a421d21489d078 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

cifs: check for bytes_remaining going to zero in CIFS_SessSetup

It's possible that when we go to decode the string area in the
SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
that point will mean that it can go "negative" and wrap. Check for a
bytes_remaining value of 0, and don't try to decode the string area if
that's the case.

Cc: stable@kernel.org
Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

authored by Jeff Layton and committed by Steve French 14 years ago fcda7f45 bfacf222

+3 -1

1 changed file

expand all

unified split

cifs

sess.c

+3 -1

fs/cifs/sess.c

··· 916 916 } 917 917 918 918 /* BB check if Unicode and decode strings */ 919 - if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 919 + if (bytes_remaining == 0) { 920 + /* no string area to decode, do nothing */ 921 + } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { 920 922 /* unicode string area must be word-aligned */ 921 923 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { 922 924 ++bcc_ptr;