mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-05 18:14:07 +08:00
cifs: clean up unaligned accesses in validate_t2
...and clean up function to reduce indentation. Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Pavel Shilovsky <piastryyy@gmail.com> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
690c522fa5
commit
12df83c9b9
@ -331,31 +331,33 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon,
|
||||
|
||||
static int validate_t2(struct smb_t2_rsp *pSMB)
|
||||
{
|
||||
int rc = -EINVAL;
|
||||
int total_size;
|
||||
unsigned int total_size;
|
||||
|
||||
/* check for plausible wct */
|
||||
if (pSMB->hdr.WordCount < 10)
|
||||
goto vt2_err;
|
||||
|
||||
/* check for plausible wct, bcc and t2 data and parm sizes */
|
||||
/* check for parm and data offset going beyond end of smb */
|
||||
if (pSMB->hdr.WordCount >= 10) {
|
||||
if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) &&
|
||||
(le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) {
|
||||
/* check that bcc is at least as big as parms + data */
|
||||
/* check that bcc is less than negotiated smb buffer */
|
||||
total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount);
|
||||
if (total_size < 512) {
|
||||
total_size +=
|
||||
le16_to_cpu(pSMB->t2_rsp.DataCount);
|
||||
if (total_size <= get_bcc(&pSMB->hdr) &&
|
||||
total_size <
|
||||
CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 ||
|
||||
get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
|
||||
goto vt2_err;
|
||||
|
||||
/* check that bcc is at least as big as parms + data */
|
||||
/* check that bcc is less than negotiated smb buffer */
|
||||
total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
|
||||
if (total_size >= 512)
|
||||
goto vt2_err;
|
||||
|
||||
total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
|
||||
if (total_size > get_bcc(&pSMB->hdr) ||
|
||||
total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
|
||||
goto vt2_err;
|
||||
|
||||
return 0;
|
||||
vt2_err:
|
||||
cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
|
||||
sizeof(struct smb_t2_rsp) + 16);
|
||||
return rc;
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
int
|
||||
|
Loading…
Reference in New Issue
Block a user