* [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read @ 2017-10-24 3:01 Ronnie Sahlberg [not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 3+ messages in thread From: Ronnie Sahlberg @ 2017-10-24 3:01 UTC (permalink / raw) To: linux-cifs; +Cc: Steve French, Pavel Shilovsky Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> --- fs/cifs/smb2pdu.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6ff4c275ca9a..efa06068e7e1 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, cifs_small_buf_release(req); rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; - shdr = get_sync_hdr(rsp); - if (shdr->Status == STATUS_END_OF_FILE) { + if (rc) { + if (rc != -ENODATA) { + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); + cifs_dbg(VFS, "Send error in read = %d\n", rc); + } free_rsp_buf(resp_buftype, rsp_iov.iov_base); - return 0; + return rc == -ENODATA ? 0 : rc; } - if (rc) { - cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); - cifs_dbg(VFS, "Send error in read = %d\n", rc); - } else { - *nbytes = le32_to_cpu(rsp->DataLength); - if ((*nbytes > CIFS_MAX_MSGSIZE) || - (*nbytes > io_parms->length)) { - cifs_dbg(FYI, "bad length %d for count %d\n", - *nbytes, io_parms->length); - rc = -EIO; - *nbytes = 0; - } + *nbytes = le32_to_cpu(rsp->DataLength); + if ((*nbytes > CIFS_MAX_MSGSIZE) || + (*nbytes > io_parms->length)) { + cifs_dbg(FYI, "bad length %d for count %d\n", + *nbytes, io_parms->length); + rc = -EIO; + *nbytes = 0; } + shdr = get_sync_hdr(rsp); + if (*buf) { memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes); free_rsp_buf(resp_buftype, rsp_iov.iov_base); -- 2.13.3 ^ permalink raw reply related [flat|nested] 3+ messages in thread
[parent not found: <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read [not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2017-11-01 16:53 ` Pavel Shilovsky [not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 3+ messages in thread From: Pavel Shilovsky @ 2017-11-01 16:53 UTC (permalink / raw) To: Ronnie Sahlberg; +Cc: linux-cifs, Steve French 2017-10-23 20:01 GMT-07:00 Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>: > Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > --- > fs/cifs/smb2pdu.c | 30 +++++++++++++++--------------- > 1 file changed, 15 insertions(+), 15 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 6ff4c275ca9a..efa06068e7e1 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, > cifs_small_buf_release(req); > > rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; > - shdr = get_sync_hdr(rsp); > > - if (shdr->Status == STATUS_END_OF_FILE) { > + if (rc) { > + if (rc != -ENODATA) { > + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); > + cifs_dbg(VFS, "Send error in read = %d\n", rc); > + } > free_rsp_buf(resp_buftype, rsp_iov.iov_base); > - return 0; > + return rc == -ENODATA ? 0 : rc; > } > > - if (rc) { > - cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); > - cifs_dbg(VFS, "Send error in read = %d\n", rc); > - } else { > - *nbytes = le32_to_cpu(rsp->DataLength); > - if ((*nbytes > CIFS_MAX_MSGSIZE) || > - (*nbytes > io_parms->length)) { > - cifs_dbg(FYI, "bad length %d for count %d\n", > - *nbytes, io_parms->length); > - rc = -EIO; > - *nbytes = 0; > - } > + *nbytes = le32_to_cpu(rsp->DataLength); > + if ((*nbytes > CIFS_MAX_MSGSIZE) || > + (*nbytes > io_parms->length)) { > + cifs_dbg(FYI, "bad length %d for count %d\n", > + *nbytes, io_parms->length); > + rc = -EIO; > + *nbytes = 0; > } > > + shdr = get_sync_hdr(rsp); > + > if (*buf) { > memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes); > free_rsp_buf(resp_buftype, rsp_iov.iov_base); > -- > 2.13.3 > Looks good. Reviewed-by: Pavel Shilovsky <pshilov-0li6OtcxBFHby3iVrkZq2A@public.gmane.org> -- Best regards, Pavel Shilovsky ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read [not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2017-11-01 16:57 ` Pavel Shilovsky 0 siblings, 0 replies; 3+ messages in thread From: Pavel Shilovsky @ 2017-11-01 16:57 UTC (permalink / raw) To: Ronnie Sahlberg, Steve French; +Cc: linux-cifs 2017-11-01 9:53 GMT-07:00 Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>: > 2017-10-23 20:01 GMT-07:00 Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>: >> Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >> --- >> fs/cifs/smb2pdu.c | 30 +++++++++++++++--------------- >> 1 file changed, 15 insertions(+), 15 deletions(-) >> >> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c >> index 6ff4c275ca9a..efa06068e7e1 100644 >> --- a/fs/cifs/smb2pdu.c >> +++ b/fs/cifs/smb2pdu.c >> @@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, >> cifs_small_buf_release(req); >> >> rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; >> - shdr = get_sync_hdr(rsp); >> >> - if (shdr->Status == STATUS_END_OF_FILE) { >> + if (rc) { >> + if (rc != -ENODATA) { >> + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); >> + cifs_dbg(VFS, "Send error in read = %d\n", rc); >> + } >> free_rsp_buf(resp_buftype, rsp_iov.iov_base); >> - return 0; >> + return rc == -ENODATA ? 0 : rc; >> } >> >> - if (rc) { >> - cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE); >> - cifs_dbg(VFS, "Send error in read = %d\n", rc); >> - } else { >> - *nbytes = le32_to_cpu(rsp->DataLength); >> - if ((*nbytes > CIFS_MAX_MSGSIZE) || >> - (*nbytes > io_parms->length)) { >> - cifs_dbg(FYI, "bad length %d for count %d\n", >> - *nbytes, io_parms->length); >> - rc = -EIO; >> - *nbytes = 0; >> - } >> + *nbytes = le32_to_cpu(rsp->DataLength); >> + if ((*nbytes > CIFS_MAX_MSGSIZE) || >> + (*nbytes > io_parms->length)) { >> + cifs_dbg(FYI, "bad length %d for count %d\n", >> + *nbytes, io_parms->length); >> + rc = -EIO; >> + *nbytes = 0; >> } >> >> + shdr = get_sync_hdr(rsp); >> + >> if (*buf) { >> memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes); >> free_rsp_buf(resp_buftype, rsp_iov.iov_base); >> -- >> 2.13.3 >> > > Looks good. > > Reviewed-by: Pavel Shilovsky <pshilov-0li6OtcxBFHby3iVrkZq2A@public.gmane.org> It seems like a good stable candidate. Thoughts? -- Best regards, Pavel Shilovsky ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-01 16:57 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-10-24 3:01 [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read Ronnie Sahlberg [not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2017-11-01 16:53 ` Pavel Shilovsky [not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-11-01 16:57 ` Pavel Shilovsky
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.