Commit 497728e1 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French

cifs: fix bad buffer length check in coalesce_t2

The current check looks to see if the RFC1002 length is larger than
CIFSMaxBufSize, and fails if it is. The buffer is actually larger than
that by MAX_CIFS_HDR_SIZE.

This bug has been around for a long time, but the fact that we used to
cap the clients MaxBufferSize at the same level as the server tended
to paper over it. Commit c974befa changed that however and caused this
bug to bite in more cases.
Reported-and-Tested-by: default avatarKonstantinos Skarlatos <k.skarlatos@gmail.com>
Tested-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent f9fab10b
...@@ -282,7 +282,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) ...@@ -282,7 +282,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
byte_count = be32_to_cpu(pTargetSMB->smb_buf_length); byte_count = be32_to_cpu(pTargetSMB->smb_buf_length);
byte_count += total_in_buf2; byte_count += total_in_buf2;
/* don't allow buffer to overflow */ /* don't allow buffer to overflow */
if (byte_count > CIFSMaxBufSize) if (byte_count > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4)
return -ENOBUFS; return -ENOBUFS;
pTargetSMB->smb_buf_length = cpu_to_be32(byte_count); pTargetSMB->smb_buf_length = cpu_to_be32(byte_count);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment