From patchwork Tue Apr 26 12:03:18 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 732302 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p3QC3SbE022507 for ; Tue, 26 Apr 2011 12:03:30 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750773Ab1DZMD3 (ORCPT ); Tue, 26 Apr 2011 08:03:29 -0400 Received: from mail-yw0-f46.google.com ([209.85.213.46]:44759 "EHLO mail-yw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750826Ab1DZMD3 (ORCPT ); Tue, 26 Apr 2011 08:03:29 -0400 Received: by mail-yw0-f46.google.com with SMTP id 3so197047ywj.19 for ; Tue, 26 Apr 2011 05:03:29 -0700 (PDT) Received: by 10.91.136.15 with SMTP id o15mr603147agn.155.1303819408901; Tue, 26 Apr 2011 05:03:28 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-075-177-180-210.nc.res.rr.com [75.177.180.210]) by mx.google.com with ESMTPS id q8sm5342761ann.45.2011.04.26.05.03.28 (version=SSLv3 cipher=OTHER); Tue, 26 Apr 2011 05:03:28 -0700 (PDT) From: Jeff Layton To: smfrench@gmail.com Cc: dhowells@redhat.com, linux-cifs@vger.kernel.org Subject: [PATCH 2/5] cifs: check for bytes_remaining going to zero in CIFS_SessSetup Date: Tue, 26 Apr 2011 08:03:18 -0400 Message-Id: <1303819401-14789-3-git-send-email-jlayton@redhat.com> X-Mailer: git-send-email 1.7.4.4 In-Reply-To: <1303819401-14789-1-git-send-email-jlayton@redhat.com> References: <1303819401-14789-1-git-send-email-jlayton@redhat.com> Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Tue, 26 Apr 2011 12:03:30 +0000 (UTC) It's possible that when we go to decode the string area in the SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at that point will mean that it can go "negative" and wrap. Check for a bytes_remaining value of 0, and don't try to decode the string area if that's the case. Cc: stable@kernel.org Reported-by: David Howells Signed-off-by: Jeff Layton Acked-by: David Howells --- fs/cifs/sess.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 2e2c911..645114a 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -916,7 +916,9 @@ ssetup_ntlmssp_authenticate: } /* BB check if Unicode and decode strings */ - if (smb_buf->Flags2 & SMBFLG2_UNICODE) { + if (bytes_remaining == 0) { + /* no string area to decode, do nothing */ + } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { /* unicode string area must be word-aligned */ if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { ++bcc_ptr;