Commit 8a3c4e44 authored by Paulo Alcantara's avatar Paulo Alcantara Committed by Steve French

cifs: get rid of dup length check in parse_reparse_point()

smb2_compound_op(SMB2_OP_GET_REPARSE) already checks if ioctl response
has a valid reparse data buffer's length, so there's no need to check
it again in parse_reparse_point().

In order to get rid of duplicate check, validate reparse data buffer's
length also in cifs_query_reparse_point().
Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 6d039984
...@@ -2700,11 +2700,12 @@ int cifs_query_reparse_point(const unsigned int xid, ...@@ -2700,11 +2700,12 @@ int cifs_query_reparse_point(const unsigned int xid,
u32 *tag, struct kvec *rsp, u32 *tag, struct kvec *rsp,
int *rsp_buftype) int *rsp_buftype)
{ {
struct reparse_data_buffer *buf;
struct cifs_open_parms oparms; struct cifs_open_parms oparms;
TRANSACT_IOCTL_REQ *io_req = NULL; TRANSACT_IOCTL_REQ *io_req = NULL;
TRANSACT_IOCTL_RSP *io_rsp = NULL; TRANSACT_IOCTL_RSP *io_rsp = NULL;
struct cifs_fid fid; struct cifs_fid fid;
__u32 data_offset, data_count; __u32 data_offset, data_count, len;
__u8 *start, *end; __u8 *start, *end;
int io_rsp_len; int io_rsp_len;
int oplock = 0; int oplock = 0;
...@@ -2774,7 +2775,16 @@ int cifs_query_reparse_point(const unsigned int xid, ...@@ -2774,7 +2775,16 @@ int cifs_query_reparse_point(const unsigned int xid,
goto error; goto error;
} }
*tag = le32_to_cpu(((struct reparse_data_buffer *)start)->ReparseTag); data_count = le16_to_cpu(io_rsp->ByteCount);
buf = (struct reparse_data_buffer *)start;
len = sizeof(*buf);
if (data_count < len ||
data_count < le16_to_cpu(buf->ReparseDataLength) + len) {
rc = -EIO;
goto error;
}
*tag = le32_to_cpu(buf->ReparseTag);
rsp->iov_base = io_rsp; rsp->iov_base = io_rsp;
rsp->iov_len = io_rsp_len; rsp->iov_len = io_rsp_len;
*rsp_buftype = CIFS_LARGE_BUFFER; *rsp_buftype = CIFS_LARGE_BUFFER;
......
...@@ -2947,18 +2947,6 @@ int parse_reparse_point(struct reparse_data_buffer *buf, ...@@ -2947,18 +2947,6 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
u32 plen, struct cifs_sb_info *cifs_sb, u32 plen, struct cifs_sb_info *cifs_sb,
bool unicode, struct cifs_open_info_data *data) bool unicode, struct cifs_open_info_data *data)
{ {
if (plen < sizeof(*buf)) {
cifs_dbg(VFS, "%s: reparse buffer is too small. Must be at least 8 bytes but was %d\n",
__func__, plen);
return -EIO;
}
if (plen < le16_to_cpu(buf->ReparseDataLength) + sizeof(*buf)) {
cifs_dbg(VFS, "%s: invalid reparse buf length: %d\n",
__func__, plen);
return -EIO;
}
data->reparse.buf = buf; data->reparse.buf = buf;
/* See MS-FSCC 2.1.2 */ /* See MS-FSCC 2.1.2 */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment