search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: 6c59dbf) | patch
Fix buffer overflow if server sends corrupt response to small
commiteca993ae9ba2c5009c480a4dba75d156a12bf6ed
authorSteve French <sfrench@us.ibm.com>
Tue, 13 Nov 2007 22:41:37 +0000 (13 22:41 +0000)
committerOliver Pinter <oliver.pntr@gmail.com>
Sat, 5 Apr 2008 12:41:06 +0000 (5 14:41 +0200)
tree5a55e3a5e1eb72657716d97b55f3f9998bd4f4detree | snapshot (tar.gz zip)
parent6c59dbf0e13ca7d36842059afebc794df39feb7ecommit | diff
Fix buffer overflow if server sends corrupt response to small

[CIFS] Fix buffer overflow if server sends corrupt response to small
request

In SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers.  There are eight callers
(SMB worker functions) which are primarily affected by this change:

TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
Lock and PosixLock

CC: Dave Kleikamp <shaggy@austin.ibm.com>
CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
fs/cifs/cifsglob.h diff | blob | blame | history
fs/cifs/cifsproto.h diff | blob | blame | history
fs/cifs/cifssmb.c diff | blob | blame | history
fs/cifs/connect.c diff | blob | blame | history
fs/cifs/file.c diff | blob | blame | history
fs/cifs/sess.c diff | blob | blame | history
fs/cifs/transport.c diff | blob | blame | history
linux v2.6.22.y-op