| Message ID | 20170908003735.14789-1-lsahlber@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
2017-09-07 17:37 GMT-07:00 Ronnie Sahlberg <lsahlber@redhat.com>: > In SMB2_open there are several paths where the SendReceive2 > call will return an error before it sets rsp_iov.iov_base > thus leaving iov_base uninitialized. > > Thus we need to check rsp before we dereference it in > the call to get_rfc1002_length(). > > A report of this issue was previously reported in > http://www.spinics.net/lists/linux-cifs/msg12846.html > > RH-bugzilla : 1476151 > > Version 2 : > * Lets properly initialize rsp_iov before we use it. > > Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> > --- > fs/cifs/smb2pdu.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 97edb4d376cd..6e7d145d8b2f 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -1617,7 +1617,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path, > struct cifs_tcon *tcon = oparms->tcon; > struct cifs_ses *ses = tcon->ses; > struct kvec iov[4]; > - struct kvec rsp_iov; > + struct kvec rsp_iov = {NULL, 0}; > int resp_buftype; > int uni_path_len; > __le16 *copy_path = NULL; > @@ -1746,7 +1746,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path, > > if (rc != 0) { > cifs_stats_fail_inc(tcon, SMB2_CREATE_HE); > - if (err_buf) > + if (err_buf && rsp) > *err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4, > GFP_KERNEL); > goto creat_exit; > -- > 2.13.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html The patch looks correct. Good candidate for stable, I think. Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>. Also It seems like we are not checking for the STATUS_STOPPED_ON_SYMLINK error code in smb2_query_symlink(). -- Best regards, Pavel Shilovsky -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 97edb4d376cd..6e7d145d8b2f 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1617,7 +1617,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path, struct cifs_tcon *tcon = oparms->tcon; struct cifs_ses *ses = tcon->ses; struct kvec iov[4]; - struct kvec rsp_iov; + struct kvec rsp_iov = {NULL, 0}; int resp_buftype; int uni_path_len; __le16 *copy_path = NULL; @@ -1746,7 +1746,7 @@ SMB2_open(const unsigned int xid, struct cifs_open_parms *oparms, __le16 *path, if (rc != 0) { cifs_stats_fail_inc(tcon, SMB2_CREATE_HE); - if (err_buf) + if (err_buf && rsp) *err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4, GFP_KERNEL); goto creat_exit;
In SMB2_open there are several paths where the SendReceive2 call will return an error before it sets rsp_iov.iov_base thus leaving iov_base uninitialized. Thus we need to check rsp before we dereference it in the call to get_rfc1002_length(). A report of this issue was previously reported in http://www.spinics.net/lists/linux-cifs/msg12846.html RH-bugzilla : 1476151 Version 2 : * Lets properly initialize rsp_iov before we use it. Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> --- fs/cifs/smb2pdu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)