From patchwork Tue Jan 18 20:33:16 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 487451 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p0IKkIkW008377 for ; Tue, 18 Jan 2011 20:46:20 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752911Ab1ARUd1 (ORCPT ); Tue, 18 Jan 2011 15:33:27 -0500 Received: from mail-qy0-f174.google.com ([209.85.216.174]:50183 "EHLO mail-qy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752680Ab1ARUd1 (ORCPT ); Tue, 18 Jan 2011 15:33:27 -0500 Received: by mail-qy0-f174.google.com with SMTP id 19so3621372qyj.19 for ; Tue, 18 Jan 2011 12:33:27 -0800 (PST) Received: by 10.224.10.193 with SMTP id q1mr5454814qaq.313.1295382807199; Tue, 18 Jan 2011 12:33:27 -0800 (PST) Received: from salusa.poochiereds.net (cpe-071-070-153-003.nc.res.rr.com [71.70.153.3]) by mx.google.com with ESMTPS id e29sm4083259qck.39.2011.01.18.12.33.26 (version=SSLv3 cipher=RC4-MD5); Tue, 18 Jan 2011 12:33:26 -0800 (PST) From: Jeff Layton To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org Subject: [PATCH 2/5] cifs: clean up unaligned accesses in validate_t2 Date: Tue, 18 Jan 2011 15:33:16 -0500 Message-Id: <1295382799-7902-3-git-send-email-jlayton@redhat.com> X-Mailer: git-send-email 1.7.3.4 In-Reply-To: <1295382799-7902-1-git-send-email-jlayton@redhat.com> References: <1295382799-7902-1-git-send-email-jlayton@redhat.com> Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Tue, 18 Jan 2011 20:46:20 +0000 (UTC) diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 3b3072c..75a1559 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -331,31 +331,33 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon, static int validate_t2(struct smb_t2_rsp *pSMB) { - int rc = -EINVAL; - int total_size; + unsigned int total_size; + + /* check for plausible wct */ + if (pSMB->hdr.WordCount < 10) + goto vt2_err; - /* check for plausible wct, bcc and t2 data and parm sizes */ /* check for parm and data offset going beyond end of smb */ - if (pSMB->hdr.WordCount >= 10) { - if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) && - (le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) { - /* check that bcc is at least as big as parms + data */ - /* check that bcc is less than negotiated smb buffer */ - total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount); - if (total_size < 512) { - total_size += - le16_to_cpu(pSMB->t2_rsp.DataCount); - if (total_size <= get_bcc(&pSMB->hdr) && - total_size < - CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) { - return 0; - } - } - } - } + if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 || + get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024) + goto vt2_err; + + /* check that bcc is at least as big as parms + data */ + /* check that bcc is less than negotiated smb buffer */ + total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount); + if (total_size >= 512) + goto vt2_err; + + total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount); + if (total_size > get_bcc(&pSMB->hdr) || + total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) + goto vt2_err; + + return 0; +vt2_err: cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB, sizeof(struct smb_t2_rsp) + 16); - return rc; + return -EINVAL; } int