cifs: fix bad buffer length check in coalesce_t2

The current check looks to see if the RFC1002 length is larger than CIFSMaxBufSize, and fails if it is. The buffer is actually larger than that by MAX_CIFS_HDR_SIZE. This bug has been around for a long time, but the fact that we used to cap the clients MaxBufferSize at the same level as the server tended to paper over it. Commit c974befa changed that however and caused this bug to bite in more cases. Reported-and-Tested-by: N Konstantinos Skarlatos <k.skarlatos@gmail.com> Tested-by: N Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: N Jeff Layton <jlayton@redhat.com> Signed-off-by: N Steve French <smfrench@gmail.com>

cifs: fix bad buffer length check in coalesce_t2
The current check looks to see if the RFC1002 length is larger than CIFSMaxBufSize, and fails if it is. The buffer is actually larger than that by MAX_CIFS_HDR_SIZE. This bug has been around for a long time, but the fact that we used to cap the clients MaxBufferSize at the same level as the server tended to paper over it. Commit c974befa changed that however and caused this bug to bite in more cases. Reported-and-Tested-by: N Konstantinos Skarlatos <k.skarlatos@gmail.com> Tested-by: N Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: N Jeff Layton <jlayton@redhat.com> Signed-off-by: N Steve French <smfrench@gmail.com>
497728e1 · Jeff Layton · Steve French · f9fab10b · 497728e1
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/cifs/connect.c fs/cifs/connect.c +1 -1

未找到文件。
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -282,7 +282,7 @@ static int coalesce_t2(struct smb_hdr *psecond, struct smb_hdr *pTargetSMB)
 	byte_count = be32_to_cpu(pTargetSMB->smb_buf_length);
 	byte_count += total_in_buf2;
 	/* don't allow buffer to overflow */
-	if (byte_count > CIFSMaxBufSize)
+	if (byte_count > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4)
 		return -ENOBUFS;
 	pTargetSMB->smb_buf_length = cpu_to_be32(byte_count);