cifsd: Update out_buf_len in smb2_populate_readdir_entry()

When processing a SMB2 QUERY_DIRECTORY request, smb2_populate_readdir_entry() is called first to fill the dot/dotdot entries. This moves the d_info->wptr pointer but out_buf_len remains unchanged. As a result, reserve_populate_dentry() may end up writing past the end of the buffer since the bounds checking is done on invalid values. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>

cifsd: Update out_buf_len in smb2_populate_readdir_entry()
When processing a SMB2 QUERY_DIRECTORY request, smb2_populate_readdir_entry() is called first to fill the dot/dotdot entries. This moves the d_info->wptr pointer but out_buf_len remains unchanged. As a result, reserve_populate_dentry() may end up writing past the end of the buffer since the bounds checking is done on invalid values. Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com> Signed-off-by: Steve French <stfrench@microsoft.com>
e7735c85 · Marios Makassikis · Steve French · 79caa960 · e7735c85
Commit e7735c85 authored May 06, 2021 by Marios Makassikis Committed by Steve French May 10, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/cifsd/smb2pdu.c fs/cifsd/smb2pdu.c +1 -0

No files found.
--- a/fs/cifsd/smb2pdu.c
+++ b/fs/cifsd/smb2pdu.c
@@ -3333,6 +3333,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,

 	d_info->last_entry_offset = d_info->data_count;
 	d_info->data_count += next_entry_offset;
+	d_info->out_buf_len -= next_entry_offset;
 	d_info->wptr += next_entry_offset;
 	kfree(conv_name);