* [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read
@ 2017-10-24 3:01 Ronnie Sahlberg
[not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Ronnie Sahlberg @ 2017-10-24 3:01 UTC (permalink / raw)
To: linux-cifs; +Cc: Steve French, Pavel Shilovsky
Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
fs/cifs/smb2pdu.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 6ff4c275ca9a..efa06068e7e1 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
cifs_small_buf_release(req);
rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
- shdr = get_sync_hdr(rsp);
- if (shdr->Status == STATUS_END_OF_FILE) {
+ if (rc) {
+ if (rc != -ENODATA) {
+ cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
+ cifs_dbg(VFS, "Send error in read = %d\n", rc);
+ }
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
- return 0;
+ return rc == -ENODATA ? 0 : rc;
}
- if (rc) {
- cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
- cifs_dbg(VFS, "Send error in read = %d\n", rc);
- } else {
- *nbytes = le32_to_cpu(rsp->DataLength);
- if ((*nbytes > CIFS_MAX_MSGSIZE) ||
- (*nbytes > io_parms->length)) {
- cifs_dbg(FYI, "bad length %d for count %d\n",
- *nbytes, io_parms->length);
- rc = -EIO;
- *nbytes = 0;
- }
+ *nbytes = le32_to_cpu(rsp->DataLength);
+ if ((*nbytes > CIFS_MAX_MSGSIZE) ||
+ (*nbytes > io_parms->length)) {
+ cifs_dbg(FYI, "bad length %d for count %d\n",
+ *nbytes, io_parms->length);
+ rc = -EIO;
+ *nbytes = 0;
}
+ shdr = get_sync_hdr(rsp);
+
if (*buf) {
memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes);
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
--
2.13.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read
[not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2017-11-01 16:53 ` Pavel Shilovsky
[not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Shilovsky @ 2017-11-01 16:53 UTC (permalink / raw)
To: Ronnie Sahlberg; +Cc: linux-cifs, Steve French
2017-10-23 20:01 GMT-07:00 Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>:
> Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
> fs/cifs/smb2pdu.c | 30 +++++++++++++++---------------
> 1 file changed, 15 insertions(+), 15 deletions(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 6ff4c275ca9a..efa06068e7e1 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
> cifs_small_buf_release(req);
>
> rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
> - shdr = get_sync_hdr(rsp);
>
> - if (shdr->Status == STATUS_END_OF_FILE) {
> + if (rc) {
> + if (rc != -ENODATA) {
> + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
> + cifs_dbg(VFS, "Send error in read = %d\n", rc);
> + }
> free_rsp_buf(resp_buftype, rsp_iov.iov_base);
> - return 0;
> + return rc == -ENODATA ? 0 : rc;
> }
>
> - if (rc) {
> - cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
> - cifs_dbg(VFS, "Send error in read = %d\n", rc);
> - } else {
> - *nbytes = le32_to_cpu(rsp->DataLength);
> - if ((*nbytes > CIFS_MAX_MSGSIZE) ||
> - (*nbytes > io_parms->length)) {
> - cifs_dbg(FYI, "bad length %d for count %d\n",
> - *nbytes, io_parms->length);
> - rc = -EIO;
> - *nbytes = 0;
> - }
> + *nbytes = le32_to_cpu(rsp->DataLength);
> + if ((*nbytes > CIFS_MAX_MSGSIZE) ||
> + (*nbytes > io_parms->length)) {
> + cifs_dbg(FYI, "bad length %d for count %d\n",
> + *nbytes, io_parms->length);
> + rc = -EIO;
> + *nbytes = 0;
> }
>
> + shdr = get_sync_hdr(rsp);
> +
> if (*buf) {
> memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes);
> free_rsp_buf(resp_buftype, rsp_iov.iov_base);
> --
> 2.13.3
>
Looks good.
Reviewed-by: Pavel Shilovsky <pshilov-0li6OtcxBFHby3iVrkZq2A@public.gmane.org>
--
Best regards,
Pavel Shilovsky
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read
[not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-11-01 16:57 ` Pavel Shilovsky
0 siblings, 0 replies; 3+ messages in thread
From: Pavel Shilovsky @ 2017-11-01 16:57 UTC (permalink / raw)
To: Ronnie Sahlberg, Steve French; +Cc: linux-cifs
2017-11-01 9:53 GMT-07:00 Pavel Shilovsky <piastryyy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
> 2017-10-23 20:01 GMT-07:00 Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>:
>> Signed-off-by: Ronnie Sahlberg <lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>> ---
>> fs/cifs/smb2pdu.c | 30 +++++++++++++++---------------
>> 1 file changed, 15 insertions(+), 15 deletions(-)
>>
>> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
>> index 6ff4c275ca9a..efa06068e7e1 100644
>> --- a/fs/cifs/smb2pdu.c
>> +++ b/fs/cifs/smb2pdu.c
>> @@ -2669,27 +2669,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
>> cifs_small_buf_release(req);
>>
>> rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
>> - shdr = get_sync_hdr(rsp);
>>
>> - if (shdr->Status == STATUS_END_OF_FILE) {
>> + if (rc) {
>> + if (rc != -ENODATA) {
>> + cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
>> + cifs_dbg(VFS, "Send error in read = %d\n", rc);
>> + }
>> free_rsp_buf(resp_buftype, rsp_iov.iov_base);
>> - return 0;
>> + return rc == -ENODATA ? 0 : rc;
>> }
>>
>> - if (rc) {
>> - cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
>> - cifs_dbg(VFS, "Send error in read = %d\n", rc);
>> - } else {
>> - *nbytes = le32_to_cpu(rsp->DataLength);
>> - if ((*nbytes > CIFS_MAX_MSGSIZE) ||
>> - (*nbytes > io_parms->length)) {
>> - cifs_dbg(FYI, "bad length %d for count %d\n",
>> - *nbytes, io_parms->length);
>> - rc = -EIO;
>> - *nbytes = 0;
>> - }
>> + *nbytes = le32_to_cpu(rsp->DataLength);
>> + if ((*nbytes > CIFS_MAX_MSGSIZE) ||
>> + (*nbytes > io_parms->length)) {
>> + cifs_dbg(FYI, "bad length %d for count %d\n",
>> + *nbytes, io_parms->length);
>> + rc = -EIO;
>> + *nbytes = 0;
>> }
>>
>> + shdr = get_sync_hdr(rsp);
>> +
>> if (*buf) {
>> memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes);
>> free_rsp_buf(resp_buftype, rsp_iov.iov_base);
>> --
>> 2.13.3
>>
>
> Looks good.
>
> Reviewed-by: Pavel Shilovsky <pshilov-0li6OtcxBFHby3iVrkZq2A@public.gmane.org>
It seems like a good stable candidate. Thoughts?
--
Best regards,
Pavel Shilovsky
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-01 16:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-24 3:01 [PATCH] cifs: initialize rsp_iov and avoid a NULL deref in SMB2_read Ronnie Sahlberg
[not found] ` <20171024030153.541-1-lsahlber-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-01 16:53 ` Pavel Shilovsky
[not found] ` <CAKywueQbQdsE23YE-jJg1t815kBtwFVOfijGxwCnC9Oa0okwhQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-01 16:57 ` Pavel Shilovsky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.