-
由 Marios Makassikis 提交于
When processing a SMB2 QUERY_DIRECTORY request, smb2_populate_readdir_entry() is called first to fill the dot/dotdot entries. This moves the d_info->wptr pointer but out_buf_len remains unchanged. As a result, reserve_populate_dentry() may end up writing past the end of the buffer since the bounds checking is done on invalid values. Signed-off-by: NMarios Makassikis <mmakassikis@freebox.fr> Signed-off-by: NNamjae Jeon <namjae.jeon@samsung.com> Signed-off-by: NSteve French <stfrench@microsoft.com>
e7735c85