cifs: fix NULL deref in SMB2_read

Signed-off-by: N Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: N Pavel Shilovsky <pshilov@microsoft.com> CC: Stable <stable@vger.kernel.org> Signed-off-by: N Steve French <smfrench@gmail.com>

cifs: fix NULL deref in SMB2_read
Signed-off-by: N Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: N Pavel Shilovsky <pshilov@microsoft.com> CC: Stable <stable@vger.kernel.org> Signed-off-by: N Steve French <smfrench@gmail.com>
a821df3f · Ronnie Sahlberg · Steve French · 328b4ed9 · a821df3f
显示空白变更内容
内联并排

Showing with 15 addition and 15 deletion

fs/cifs/smb2pdu.c fs/cifs/smb2pdu.c +15 -15

未找到文件。
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2678,17 +2678,16 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
 	cifs_small_buf_release(req);

 	rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
-	shdr = get_sync_hdr(rsp);
-
-	if (shdr->Status == STATUS_END_OF_FILE) {
-		free_rsp_buf(resp_buftype, rsp_iov.iov_base);
-		return 0;
-	}

 	if (rc) {
+		if (rc != -ENODATA) {
 			cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
 			cifs_dbg(VFS, "Send error in read = %d\n", rc);
-	} else {
+		}
+		free_rsp_buf(resp_buftype, rsp_iov.iov_base);
+		return rc == -ENODATA ? 0 : rc;
+	}
+
 	*nbytes = le32_to_cpu(rsp->DataLength);
 	if ((*nbytes > CIFS_MAX_MSGSIZE) ||
 	    (*nbytes > io_parms->length)) {
@@ -2697,7 +2696,8 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
 		rc = -EIO;
 		*nbytes = 0;
 	}
-	}
+
+	shdr = get_sync_hdr(rsp);

 	if (*buf) {
 		memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes);