Commit 56446f21 authored by Dan Carpenter's avatar Dan Carpenter Committed by Steve French

CIFS: fix wrapping bugs in num_entries()

The problem is that "entryptr + next_offset" and "entryptr + len + size"
can wrap.  I ended up changing the type of "entryptr" because it makes
the math easier when we don't have to do so much casting.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
parent 8ad8aa35
...@@ -3577,33 +3577,38 @@ num_entries(char *bufstart, char *end_of_buf, char **lastentry, size_t size) ...@@ -3577,33 +3577,38 @@ num_entries(char *bufstart, char *end_of_buf, char **lastentry, size_t size)
int len; int len;
unsigned int entrycount = 0; unsigned int entrycount = 0;
unsigned int next_offset = 0; unsigned int next_offset = 0;
FILE_DIRECTORY_INFO *entryptr; char *entryptr;
FILE_DIRECTORY_INFO *dir_info;
if (bufstart == NULL) if (bufstart == NULL)
return 0; return 0;
entryptr = (FILE_DIRECTORY_INFO *)bufstart; entryptr = bufstart;
while (1) { while (1) {
entryptr = (FILE_DIRECTORY_INFO *) if (entryptr + next_offset < entryptr ||
((char *)entryptr + next_offset); entryptr + next_offset > end_of_buf ||
entryptr + next_offset + size > end_of_buf) {
if ((char *)entryptr + size > end_of_buf) {
cifs_dbg(VFS, "malformed search entry would overflow\n"); cifs_dbg(VFS, "malformed search entry would overflow\n");
break; break;
} }
len = le32_to_cpu(entryptr->FileNameLength); entryptr = entryptr + next_offset;
if ((char *)entryptr + len + size > end_of_buf) { dir_info = (FILE_DIRECTORY_INFO *)entryptr;
len = le32_to_cpu(dir_info->FileNameLength);
if (entryptr + len < entryptr ||
entryptr + len > end_of_buf ||
entryptr + len + size > end_of_buf) {
cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\n", cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\n",
end_of_buf); end_of_buf);
break; break;
} }
*lastentry = (char *)entryptr; *lastentry = entryptr;
entrycount++; entrycount++;
next_offset = le32_to_cpu(entryptr->NextEntryOffset); next_offset = le32_to_cpu(dir_info->NextEntryOffset);
if (!next_offset) if (!next_offset)
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment