| Message ID | 1480972271-57692-4-git-send-email-pshilov@microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 2016-12-05 at 13:11 -0800, Pavel Shilovsky wrote: > If maxBuf is not 0 but less than a size of SMB2 lock structure > we can end up with a memory corruption. > > Cc: Stable <stable@vger.kernel.org> > Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> Acked-by: Sachin Prabhu <sprabhu@redhat.com> > --- > fs/cifs/smb2file.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c > index f9e766f..b2aff0c 100644 > --- a/fs/cifs/smb2file.c > +++ b/fs/cifs/smb2file.c > @@ -260,7 +260,7 @@ smb2_push_mandatory_locks(struct cifsFileInfo > *cfile) > * and check it for zero before using. > */ > max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf; > - if (!max_buf) { > + if (max_buf < sizeof(struct smb2_lock_element)) { > free_xid(xid); > return -EINVAL; > } -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c index f9e766f..b2aff0c 100644 --- a/fs/cifs/smb2file.c +++ b/fs/cifs/smb2file.c @@ -260,7 +260,7 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile) * and check it for zero before using. */ max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf; - if (!max_buf) { + if (max_buf < sizeof(struct smb2_lock_element)) { free_xid(xid); return -EINVAL; }
If maxBuf is not 0 but less than a size of SMB2 lock structure we can end up with a memory corruption. Cc: Stable <stable@vger.kernel.org> Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> --- fs/cifs/smb2file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)