Commit 781cd275 authored by Alexander Viro's avatar Alexander Viro Committed by Linus Torvalds

[PATCH] cifs: annotate fea{,list}, endianness bugfix

in CIFSSMSetEA() ->list_len got (__u32)cpu_to_le16() instead of cpu_to_le32().
Broken on big-endian...
Signed-off-by: default avatarAl Viro <viro@parcelfarce.linux.org.uk>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent ca248b4d
...@@ -1707,7 +1707,7 @@ struct gealist { ...@@ -1707,7 +1707,7 @@ struct gealist {
struct fea { struct fea {
unsigned char EA_flags; unsigned char EA_flags;
__u8 name_len; __u8 name_len;
__u16 value_len; __le16 value_len;
char name[1]; char name[1];
/* optionally followed by value */ /* optionally followed by value */
}; };
...@@ -1715,7 +1715,7 @@ struct fea { ...@@ -1715,7 +1715,7 @@ struct fea {
#define FEA_NEEDEA 0x80 /* need EA bit */ #define FEA_NEEDEA 0x80 /* need EA bit */
struct fealist { struct fealist {
__u32 list_len; __le32 list_len;
struct fea list[1]; struct fea list[1];
}; };
......
...@@ -3107,10 +3107,8 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon, ...@@ -3107,10 +3107,8 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
ea_response_data = (struct fealist *) ea_response_data = (struct fealist *)
(((char *) &pSMBr->hdr.Protocol) + (((char *) &pSMBr->hdr.Protocol) +
data_offset); data_offset);
ea_response_data->list_len = name_len = le32_to_cpu(ea_response_data->list_len);
cpu_to_le32(ea_response_data->list_len); cFYI(1,("ea length %d", name_len));
cFYI(1,("ea length %d",ea_response_data->list_len));
name_len = ea_response_data->list_len;
if(name_len <= 8) { if(name_len <= 8) {
/* returned EA size zeroed at top of function */ /* returned EA size zeroed at top of function */
cFYI(1,("empty EA list returned from server")); cFYI(1,("empty EA list returned from server"));
...@@ -3120,6 +3118,7 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon, ...@@ -3120,6 +3118,7 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
temp_fea = ea_response_data->list; temp_fea = ea_response_data->list;
temp_ptr = (char *)temp_fea; temp_ptr = (char *)temp_fea;
while(name_len > 0) { while(name_len > 0) {
__u16 value_len;
name_len -= 4; name_len -= 4;
temp_ptr += 4; temp_ptr += 4;
rc += temp_fea->name_len; rc += temp_fea->name_len;
...@@ -3145,9 +3144,9 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon, ...@@ -3145,9 +3144,9 @@ CIFSSMBQAllEAs(const int xid, struct cifsTconInfo *tcon,
/* account for trailing null */ /* account for trailing null */
name_len--; name_len--;
temp_ptr++; temp_ptr++;
temp_fea->value_len = cpu_to_le16(temp_fea->value_len); value_len = le16_to_cpu(temp_fea->value_len);
name_len -= temp_fea->value_len; name_len -= value_len;
temp_ptr += temp_fea->value_len; temp_ptr += value_len;
/* BB check that temp_ptr is still within smb BB*/ /* BB check that temp_ptr is still within smb BB*/
/* no trailing null to account for in value len */ /* no trailing null to account for in value len */
/* go on to next EA */ /* go on to next EA */
...@@ -3250,10 +3249,8 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon, ...@@ -3250,10 +3249,8 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon,
ea_response_data = (struct fealist *) ea_response_data = (struct fealist *)
(((char *) &pSMBr->hdr.Protocol) + (((char *) &pSMBr->hdr.Protocol) +
data_offset); data_offset);
ea_response_data->list_len = name_len = le32_to_cpu(ea_response_data->list_len);
cpu_to_le32(ea_response_data->list_len); cFYI(1,("ea length %d", name_len));
cFYI(1,("ea length %d",ea_response_data->list_len));
name_len = ea_response_data->list_len;
if(name_len <= 8) { if(name_len <= 8) {
/* returned EA size zeroed at top of function */ /* returned EA size zeroed at top of function */
cFYI(1,("empty EA list returned from server")); cFYI(1,("empty EA list returned from server"));
...@@ -3265,15 +3262,16 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon, ...@@ -3265,15 +3262,16 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon,
/* loop through checking if we have a matching /* loop through checking if we have a matching
name and then return the associated value */ name and then return the associated value */
while(name_len > 0) { while(name_len > 0) {
__u16 value_len;
name_len -= 4; name_len -= 4;
temp_ptr += 4; temp_ptr += 4;
temp_fea->value_len = cpu_to_le16(temp_fea->value_len); value_len = le16_to_cpu(temp_fea->value_len);
/* BB validate that value_len falls within SMB, /* BB validate that value_len falls within SMB,
even though maximum for name_len is 255 */ even though maximum for name_len is 255 */
if(memcmp(temp_fea->name,ea_name, if(memcmp(temp_fea->name,ea_name,
temp_fea->name_len) == 0) { temp_fea->name_len) == 0) {
/* found a match */ /* found a match */
rc = temp_fea->value_len; rc = value_len;
/* account for prefix user. and trailing null */ /* account for prefix user. and trailing null */
if(rc<=(int)buf_size) { if(rc<=(int)buf_size) {
memcpy(ea_value, memcpy(ea_value,
...@@ -3294,8 +3292,8 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon, ...@@ -3294,8 +3292,8 @@ ssize_t CIFSSMBQueryEA(const int xid,struct cifsTconInfo * tcon,
/* account for trailing null */ /* account for trailing null */
name_len--; name_len--;
temp_ptr++; temp_ptr++;
name_len -= temp_fea->value_len; name_len -= value_len;
temp_ptr += temp_fea->value_len; temp_ptr += value_len;
/* no trailing null to account for in value len */ /* no trailing null to account for in value len */
/* go on to next EA */ /* go on to next EA */
temp_fea = (struct fea *)temp_ptr; temp_fea = (struct fea *)temp_ptr;
...@@ -3378,7 +3376,7 @@ CIFSSMBSetEA(const int xid, struct cifsTconInfo *tcon, const char *fileName, ...@@ -3378,7 +3376,7 @@ CIFSSMBSetEA(const int xid, struct cifsTconInfo *tcon, const char *fileName,
pSMB->SubCommand = cpu_to_le16(TRANS2_SET_PATH_INFORMATION); pSMB->SubCommand = cpu_to_le16(TRANS2_SET_PATH_INFORMATION);
byte_count = 3 /* pad */ + params + count; byte_count = 3 /* pad */ + params + count;
pSMB->DataCount = cpu_to_le16(count); pSMB->DataCount = cpu_to_le16(count);
parm_data->list_len = (__u32)(pSMB->DataCount); parm_data->list_len = cpu_to_le32(count);
parm_data->list[0].EA_flags = 0; parm_data->list[0].EA_flags = 0;
/* we checked above that name len is less than 255 */ /* we checked above that name len is less than 255 */
parm_data->list[0].name_len = (__u8)name_len;; parm_data->list[0].name_len = (__u8)name_len;;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment