| Message ID | 1303905796-28087-1-git-send-email-jlayton@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Jeff Layton <jlayton@redhat.com> wrote: > + /* don't allow buffer to overflow */ > + if (byte_count > CIFSMaxBufSize) > + return -ENOBUFS; Shouldn't that be EPROTO too? (ENOBUFS would seem to be wrong anyway). > + if (total_in_buf & USHRT_MAX) > + if (byte_count & USHRT_MAX) Use '>' rather than '&'. '&' is wrong without a '~'. David -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 27 Apr 2011 17:37:12 +0100 David Howells <dhowells@redhat.com> wrote: > Jeff Layton <jlayton@redhat.com> wrote: > > > + /* don't allow buffer to overflow */ > > + if (byte_count > CIFSMaxBufSize) > > + return -ENOBUFS; > > Shouldn't that be EPROTO too? (ENOBUFS would seem to be wrong anyway). > No, CIFSMaxBufSize is a limitation of this code, and not a protocol limitation. In this case, there's not enough space in this buffer so it seems like the correct error. > > + if (total_in_buf & USHRT_MAX) > > + if (byte_count & USHRT_MAX) > > Use '>' rather than '&'. '&' is wrong without a '~'. > Doh! Good catch -- will fix...
David Howells <dhowells@redhat.com> wrote: > Jeff Layton <jlayton@redhat.com> wrote: > > > + /* don't allow buffer to overflow */ > > + if (byte_count > CIFSMaxBufSize) > > + return -ENOBUFS; > > Shouldn't that be EPROTO too? (ENOBUFS would seem to be wrong anyway). No... It should be ENOBUFS. It's not a protocol error, but a local limitation. David -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index db9d55b..77031a3 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -274,7 +274,8 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) char *data_area_of_target; char *data_area_of_buf2; int remaining; - __u16 byte_count, total_data_size, total_in_buf, total_in_buf2; + unsigned int byte_count, total_in_buf; + __u16 total_data_size, total_in_buf2; total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount); @@ -287,7 +288,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) remaining = total_data_size - total_in_buf; if (remaining < 0) - return -EINVAL; + return -EPROTO; if (remaining == 0) /* nothing to do, ignore */ return 0; @@ -308,20 +309,30 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) data_area_of_target += total_in_buf; /* copy second buffer into end of first buffer */ - memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); total_in_buf += total_in_buf2; + + /* is the result too big for the field? */ + if (total_in_buf & USHRT_MAX) + return -EPROTO; put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount); + byte_count = get_bcc_le(pTargetSMB); byte_count += total_in_buf2; + + /* is the result too big for the field? */ + if (byte_count & USHRT_MAX) + return -EPROTO; put_bcc_le(byte_count, pTargetSMB); byte_count = pTargetSMB->smb_buf_length; byte_count += total_in_buf2; - - /* BB also add check that we are not beyond maximum buffer size */ - + /* don't allow buffer to overflow */ + if (byte_count > CIFSMaxBufSize) + return -ENOBUFS; pTargetSMB->smb_buf_length = byte_count; + memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); + if (remaining == total_in_buf2) { cFYI(1, "found the last secondary response"); return 0; /* we are done */
There are a couple of places in this code where these values can wrap or go negative, and that could potentially end up overflowing the buffer. Ensure that that doesn't happen. Do all of the length calculation and checks first, and only perform the memcpy after they pass. Also, increase some stack variables to 32 bits to ensure that they don't wrap without being detected. Finally, change the error codes to be a bit more descriptive of any problems detected. -EINVAL isn't very accurate. Cc: stable@kernel.org Reported-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> --- fs/cifs/connect.c | 23 +++++++++++++++++------ 1 files changed, 17 insertions(+), 6 deletions(-)