• Steve French's avatar
    [CIFS] Fix buffer overflow if server sends corrupt response to small · 133672ef
    Steve French authored
    request
    
    In SendReceive() function in transport.c - it memcpy's
    message payload into a buffer passed via out_buf param. The function
    assumes that all buffers are of size (CIFSMaxBufSize +
    MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
    (MAX_CIFS_SMALL_BUFFER_SIZE) buffers.  There are eight callers
    (SMB worker functions) which are primarily affected by this change:
    
    TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
    Lock and PosixLock
    
    CC: Dave Kleikamp <shaggy@austin.ibm.com>
    CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
    Acked-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
    133672ef
cifssmb.c 168 KB