From 2dce1073a0008e46673684cc59b990504fc66235 Mon Sep 17 00:00:00 2001 From: Ronnie Sahlberg Date: Mon, 15 Apr 2019 12:13:52 +1000 Subject: [PATCH 1/2] cifs: fix bi-directional fsctl passthrough calls SMB2 Ioctl responses from servers may respond with both the request blob from the client followed by the actual reply blob for ioctls that are bi-directional. In that case we can not assume that the reply blob comes immediately after the ioctl response structure. This fixes FSCTLs such as SMB2:FSCTL_QUERY_ALLOCATED_RANGES Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French --- fs/cifs/smb2ops.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 08ff044fbb4b..841ce7e1fb72 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1462,12 +1462,19 @@ smb2_ioctl_query_info(const unsigned int xid, io_rsp = (struct smb2_ioctl_rsp *)rsp_iov[1].iov_base; if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length) qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && + le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length > rsp_iov[1].iov_len) { + rc = -EFAULT; + goto iqinf_exit; + } if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length, sizeof(qi.input_buffer_length))) { rc = -EFAULT; goto iqinf_exit; } - if (copy_to_user(pqi + 1, &io_rsp[1], qi.input_buffer_length)) { + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), + qi.input_buffer_length)) { rc = -EFAULT; goto iqinf_exit; } -- 2.17.1