mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-25 05:04:09 +08:00
cifs: get rid of dup length check in parse_reparse_point()
smb2_compound_op(SMB2_OP_GET_REPARSE) already checks if ioctl response has a valid reparse data buffer's length, so there's no need to check it again in parse_reparse_point(). In order to get rid of duplicate check, validate reparse data buffer's length also in cifs_query_reparse_point(). Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com> Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
6d039984c1
commit
8a3c4e44c2
@ -2700,11 +2700,12 @@ int cifs_query_reparse_point(const unsigned int xid,
|
||||
u32 *tag, struct kvec *rsp,
|
||||
int *rsp_buftype)
|
||||
{
|
||||
struct reparse_data_buffer *buf;
|
||||
struct cifs_open_parms oparms;
|
||||
TRANSACT_IOCTL_REQ *io_req = NULL;
|
||||
TRANSACT_IOCTL_RSP *io_rsp = NULL;
|
||||
struct cifs_fid fid;
|
||||
__u32 data_offset, data_count;
|
||||
__u32 data_offset, data_count, len;
|
||||
__u8 *start, *end;
|
||||
int io_rsp_len;
|
||||
int oplock = 0;
|
||||
@ -2774,7 +2775,16 @@ int cifs_query_reparse_point(const unsigned int xid,
|
||||
goto error;
|
||||
}
|
||||
|
||||
*tag = le32_to_cpu(((struct reparse_data_buffer *)start)->ReparseTag);
|
||||
data_count = le16_to_cpu(io_rsp->ByteCount);
|
||||
buf = (struct reparse_data_buffer *)start;
|
||||
len = sizeof(*buf);
|
||||
if (data_count < len ||
|
||||
data_count < le16_to_cpu(buf->ReparseDataLength) + len) {
|
||||
rc = -EIO;
|
||||
goto error;
|
||||
}
|
||||
|
||||
*tag = le32_to_cpu(buf->ReparseTag);
|
||||
rsp->iov_base = io_rsp;
|
||||
rsp->iov_len = io_rsp_len;
|
||||
*rsp_buftype = CIFS_LARGE_BUFFER;
|
||||
|
@ -2947,18 +2947,6 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
|
||||
u32 plen, struct cifs_sb_info *cifs_sb,
|
||||
bool unicode, struct cifs_open_info_data *data)
|
||||
{
|
||||
if (plen < sizeof(*buf)) {
|
||||
cifs_dbg(VFS, "%s: reparse buffer is too small. Must be at least 8 bytes but was %d\n",
|
||||
__func__, plen);
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
if (plen < le16_to_cpu(buf->ReparseDataLength) + sizeof(*buf)) {
|
||||
cifs_dbg(VFS, "%s: invalid reparse buf length: %d\n",
|
||||
__func__, plen);
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
data->reparse.buf = buf;
|
||||
|
||||
/* See MS-FSCC 2.1.2 */
|
||||
|
Loading…
Reference in New Issue
Block a user