Skip to content

Commit 8a3c4e4

Browse files
Paulo Alcantarasmfrench
Paulo Alcantara
authored and
smfrench
committed
cifs: get rid of dup length check in parse_reparse_point()
smb2_compound_op(SMB2_OP_GET_REPARSE) already checks if ioctl response has a valid reparse data buffer's length, so there's no need to check it again in parse_reparse_point(). In order to get rid of duplicate check, validate reparse data buffer's length also in cifs_query_reparse_point(). Signed-off-by: Paulo Alcantara (SUSE) <[email protected]> Signed-off-by: Steve French <[email protected]>
1 parent 6d03998 commit 8a3c4e4

File tree

2 files changed

+12
-14
lines changed

2 files changed

+12
-14
lines changed

fs/smb/client/cifssmb.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2700,11 +2700,12 @@ int cifs_query_reparse_point(const unsigned int xid,
27002700
u32 *tag, struct kvec *rsp,
27012701
int *rsp_buftype)
27022702
{
2703+
struct reparse_data_buffer *buf;
27032704
struct cifs_open_parms oparms;
27042705
TRANSACT_IOCTL_REQ *io_req = NULL;
27052706
TRANSACT_IOCTL_RSP *io_rsp = NULL;
27062707
struct cifs_fid fid;
2707-
__u32 data_offset, data_count;
2708+
__u32 data_offset, data_count, len;
27082709
__u8 *start, *end;
27092710
int io_rsp_len;
27102711
int oplock = 0;
@@ -2774,7 +2775,16 @@ int cifs_query_reparse_point(const unsigned int xid,
27742775
goto error;
27752776
}
27762777

2777-
*tag = le32_to_cpu(((struct reparse_data_buffer *)start)->ReparseTag);
2778+
data_count = le16_to_cpu(io_rsp->ByteCount);
2779+
buf = (struct reparse_data_buffer *)start;
2780+
len = sizeof(*buf);
2781+
if (data_count < len ||
2782+
data_count < le16_to_cpu(buf->ReparseDataLength) + len) {
2783+
rc = -EIO;
2784+
goto error;
2785+
}
2786+
2787+
*tag = le32_to_cpu(buf->ReparseTag);
27782788
rsp->iov_base = io_rsp;
27792789
rsp->iov_len = io_rsp_len;
27802790
*rsp_buftype = CIFS_LARGE_BUFFER;

fs/smb/client/smb2ops.c

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2947,18 +2947,6 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
29472947
u32 plen, struct cifs_sb_info *cifs_sb,
29482948
bool unicode, struct cifs_open_info_data *data)
29492949
{
2950-
if (plen < sizeof(*buf)) {
2951-
cifs_dbg(VFS, "%s: reparse buffer is too small. Must be at least 8 bytes but was %d\n",
2952-
__func__, plen);
2953-
return -EIO;
2954-
}
2955-
2956-
if (plen < le16_to_cpu(buf->ReparseDataLength) + sizeof(*buf)) {
2957-
cifs_dbg(VFS, "%s: invalid reparse buf length: %d\n",
2958-
__func__, plen);
2959-
return -EIO;
2960-
}
2961-
29622950
data->reparse.buf = buf;
29632951

29642952
/* See MS-FSCC 2.1.2 */

0 commit comments

Comments
 (0)