| Message ID | 1303819401-14789-6-git-send-email-jlayton@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Jeff Layton <jlayton@redhat.com> wrote: > cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2 > responses into the original mid buffer. coalesce_t2 however can return > errors, but the caller doesn't handle that situation properly. Fix the > thread to treat such a case as it would a malformed packet. Mark the > mid as being malformed and issue the callback. > > Cc: stable@kernel.org > Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: David Howells <dhowells@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index a2cde4c..d025249 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -629,12 +629,16 @@ incomplete_rcv: isMultiRsp = true; if (mid_entry->resp_buf) { /* merge response - fix up 1st*/ - if (coalesce_t2(smb_buffer, - mid_entry->resp_buf)) { + length = coalesce_t2(smb_buffer, + mid_entry->resp_buf); + if (length > 0) { + length = 0; mid_entry->multiRsp = true; break; } else { - /* all parts received */ + /* all parts received or + * packet is malformed + */ mid_entry->multiEnd = true; goto multi_t2_fnd; }
cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2 responses into the original mid buffer. coalesce_t2 however can return errors, but the caller doesn't handle that situation properly. Fix the thread to treat such a case as it would a malformed packet. Mark the mid as being malformed and issue the callback. Cc: stable@kernel.org Signed-off-by: Jeff Layton <jlayton@redhat.com> --- fs/cifs/connect.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-)