Commit b77d753c authored by Steve French's avatar Steve French

[CIFS] Check that last search entry resume key is valid

Jeff's recent patch to add a last_entry field in the search structure
to better construct resume keys did not validate that the server
sent us a plausible pointer to the last entry.  This adds that.
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 0752f152
...@@ -3614,6 +3614,8 @@ CIFSFindFirst(const int xid, struct cifsTconInfo *tcon, ...@@ -3614,6 +3614,8 @@ CIFSFindFirst(const int xid, struct cifsTconInfo *tcon,
/* BB remember to free buffer if error BB */ /* BB remember to free buffer if error BB */
rc = validate_t2((struct smb_t2_rsp *)pSMBr); rc = validate_t2((struct smb_t2_rsp *)pSMBr);
if (rc == 0) { if (rc == 0) {
unsigned int lnoff;
if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE) if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
psrch_inf->unicode = true; psrch_inf->unicode = true;
else else
...@@ -3636,8 +3638,17 @@ CIFSFindFirst(const int xid, struct cifsTconInfo *tcon, ...@@ -3636,8 +3638,17 @@ CIFSFindFirst(const int xid, struct cifsTconInfo *tcon,
le16_to_cpu(parms->SearchCount); le16_to_cpu(parms->SearchCount);
psrch_inf->index_of_last_entry = 2 /* skip . and .. */ + psrch_inf->index_of_last_entry = 2 /* skip . and .. */ +
psrch_inf->entries_in_buffer; psrch_inf->entries_in_buffer;
lnoff = le16_to_cpu(parms->LastNameOffset);
if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
lnoff) {
cERROR(1, ("ignoring corrupt resume name"));
psrch_inf->last_entry = NULL;
return rc;
}
psrch_inf->last_entry = psrch_inf->srch_entries_start + psrch_inf->last_entry = psrch_inf->srch_entries_start +
le16_to_cpu(parms->LastNameOffset); lnoff;
*pnetfid = parms->SearchHandle; *pnetfid = parms->SearchHandle;
} else { } else {
cifs_buf_release(pSMB); cifs_buf_release(pSMB);
...@@ -3727,6 +3738,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon, ...@@ -3727,6 +3738,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
rc = validate_t2((struct smb_t2_rsp *)pSMBr); rc = validate_t2((struct smb_t2_rsp *)pSMBr);
if (rc == 0) { if (rc == 0) {
unsigned int lnoff;
/* BB fixme add lock for file (srch_info) struct here */ /* BB fixme add lock for file (srch_info) struct here */
if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE) if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)
psrch_inf->unicode = true; psrch_inf->unicode = true;
...@@ -3753,8 +3766,16 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon, ...@@ -3753,8 +3766,16 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon,
le16_to_cpu(parms->SearchCount); le16_to_cpu(parms->SearchCount);
psrch_inf->index_of_last_entry += psrch_inf->index_of_last_entry +=
psrch_inf->entries_in_buffer; psrch_inf->entries_in_buffer;
psrch_inf->last_entry = psrch_inf->srch_entries_start + lnoff = le16_to_cpu(parms->LastNameOffset);
le16_to_cpu(parms->LastNameOffset); if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <
lnoff) {
cERROR(1, ("ignoring corrupt resume name"));
psrch_inf->last_entry = NULL;
return rc;
} else
psrch_inf->last_entry =
psrch_inf->srch_entries_start + lnoff;
/* cFYI(1,("fnxt2 entries in buf %d index_of_last %d", /* cFYI(1,("fnxt2 entries in buf %d index_of_last %d",
psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */ psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment