提交 26ec2548 编写于 作者: J Jeff Layton 提交者: Steve French

cifs: fix unaligned access in check2ndT2 and coalesce_t2

Signed-off-by: NJeff Layton <jlayton@redhat.com>
Acked-by: NPavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: NShirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: NSteve French <sfrench@us.ibm.com>
上级 12df83c9
...@@ -232,9 +232,8 @@ cifs_reconnect(struct TCP_Server_Info *server) ...@@ -232,9 +232,8 @@ cifs_reconnect(struct TCP_Server_Info *server)
static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize) static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
{ {
struct smb_t2_rsp *pSMBt; struct smb_t2_rsp *pSMBt;
int total_data_size;
int data_in_this_rsp;
int remaining; int remaining;
__u16 total_data_size, data_in_this_rsp;
if (pSMB->Command != SMB_COM_TRANSACTION2) if (pSMB->Command != SMB_COM_TRANSACTION2)
return 0; return 0;
...@@ -248,8 +247,8 @@ static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize) ...@@ -248,8 +247,8 @@ static int check2ndT2(struct smb_hdr *pSMB, unsigned int maxBufSize)
pSMBt = (struct smb_t2_rsp *)pSMB; pSMBt = (struct smb_t2_rsp *)pSMB;
total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
data_in_this_rsp = le16_to_cpu(pSMBt->t2_rsp.DataCount); data_in_this_rsp = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
remaining = total_data_size - data_in_this_rsp; remaining = total_data_size - data_in_this_rsp;
...@@ -275,21 +274,18 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) ...@@ -275,21 +274,18 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
{ {
struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond; struct smb_t2_rsp *pSMB2 = (struct smb_t2_rsp *)psecond;
struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB; struct smb_t2_rsp *pSMBt = (struct smb_t2_rsp *)pTargetSMB;
int total_data_size;
int total_in_buf;
int remaining;
int total_in_buf2;
char *data_area_of_target; char *data_area_of_target;
char *data_area_of_buf2; char *data_area_of_buf2;
__u16 byte_count; int remaining;
__u16 byte_count, total_data_size, total_in_buf, total_in_buf2;
total_data_size = le16_to_cpu(pSMBt->t2_rsp.TotalDataCount); total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount);
if (total_data_size != le16_to_cpu(pSMB2->t2_rsp.TotalDataCount)) { if (total_data_size !=
get_unaligned_le16(&pSMB2->t2_rsp.TotalDataCount))
cFYI(1, "total data size of primary and secondary t2 differ"); cFYI(1, "total data size of primary and secondary t2 differ");
}
total_in_buf = le16_to_cpu(pSMBt->t2_rsp.DataCount); total_in_buf = get_unaligned_le16(&pSMBt->t2_rsp.DataCount);
remaining = total_data_size - total_in_buf; remaining = total_data_size - total_in_buf;
...@@ -299,25 +295,25 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) ...@@ -299,25 +295,25 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
if (remaining == 0) /* nothing to do, ignore */ if (remaining == 0) /* nothing to do, ignore */
return 0; return 0;
total_in_buf2 = le16_to_cpu(pSMB2->t2_rsp.DataCount); total_in_buf2 = get_unaligned_le16(&pSMB2->t2_rsp.DataCount);
if (remaining < total_in_buf2) { if (remaining < total_in_buf2) {
cFYI(1, "transact2 2nd response contains too much data"); cFYI(1, "transact2 2nd response contains too much data");
} }
/* find end of first SMB data area */ /* find end of first SMB data area */
data_area_of_target = (char *)&pSMBt->hdr.Protocol + data_area_of_target = (char *)&pSMBt->hdr.Protocol +
le16_to_cpu(pSMBt->t2_rsp.DataOffset); get_unaligned_le16(&pSMBt->t2_rsp.DataOffset);
/* validate target area */ /* validate target area */
data_area_of_buf2 = (char *) &pSMB2->hdr.Protocol + data_area_of_buf2 = (char *)&pSMB2->hdr.Protocol +
le16_to_cpu(pSMB2->t2_rsp.DataOffset); get_unaligned_le16(&pSMB2->t2_rsp.DataOffset);
data_area_of_target += total_in_buf; data_area_of_target += total_in_buf;
/* copy second buffer into end of first buffer */ /* copy second buffer into end of first buffer */
memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2);
total_in_buf += total_in_buf2; total_in_buf += total_in_buf2;
pSMBt->t2_rsp.DataCount = cpu_to_le16(total_in_buf); put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount);
byte_count = get_bcc_le(pTargetSMB); byte_count = get_bcc_le(pTargetSMB);
byte_count += total_in_buf2; byte_count += total_in_buf2;
put_bcc_le(byte_count, pTargetSMB); put_bcc_le(byte_count, pTargetSMB);
...@@ -334,7 +330,6 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB) ...@@ -334,7 +330,6 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
return 0; /* we are done */ return 0; /* we are done */
} else /* more responses to go */ } else /* more responses to go */
return 1; return 1;
} }
static void static void
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册