Attachment #24687 for bug #61204

View | Details | Raw Unified | Return to bug 61204
Collapse All | Expand All




	data_len = WVAL(buf, 1);

	/* we can NOT simply trust the data_len given by the server ... */
       if (data_len > count ||
           data_len > server->packet_size - (buf+3 - server->packet)) {
		printk(KERN_ERR "smb_proc_read: invalid data length!! "
                      "%d > %d || %d > %d - (%p - %p)\n",
                      data_len, count,
		       data_len, server->packet_size, buf+3, server->packet);
		result = -EIO;
		goto out;

	buf = smb_base(server->packet) + data_off;

	/* we can NOT simply trust the info given by the server ... */
       if (data_len > count ||
           data_len > server->packet_size - (buf - server->packet)) {
		printk(KERN_ERR "smb_proc_read: invalid data length!! "
                      "%d > %d || %d > %d - (%p - %p)\n",
                      data_len, count,
		       data_len, server->packet_size, buf, server->packet);
		result = -EIO;
		goto out;

Lines 625-630 Link Here

(-)linux-2.4.21/fs/smbfs/sock.c.orig (+3 lines)
625	server->packet = rcv_buf;	625	server->packet = rcv_buf;
626	rcv_buf = inbuf;	626	rcv_buf = inbuf;
627	} else {	627	} else {
		628	if (parm_len + data_len > buf_len)
		629	goto out_data_grew;
		630
628	PARANOIA("copying data, old size=%d, new size=%u\n",	631	PARANOIA("copying data, old size=%d, new size=%u\n",
629	server->packet_size, buf_len);	632	server->packet_size, buf_len);
630	memcpy(inbuf, rcv_buf, parm_len + data_len);	633	memcpy(inbuf, rcv_buf, parm_len + data_len);

Lines 1665-1674 Link Here

(-)linux-2.4.21/MAINTAINERS.orig (-4 / +2 lines)
1665		1665
1666	SMB FILESYSTEM	1666	SMB FILESYSTEM
1667	P: Urban Widmark	1667	P: Urban Widmark
1668	M: urban@teststation.com	1668	M: Urban.Widmark@enlight.net
1669	W: http://samba.org/	1669	S: Odd Fixes
1670	L: samba@samba.org
1671	S: Maintained
1672		1670
1673	SNA NETWORK LAYER	1671	SNA NETWORK LAYER
1674	P: Jay Schulist	1672	P: Jay Schulist

Return to bug 61204

Lines 1333-1341 Link Here

(-)linux-2.4.21/fs/smbfs/proc.c.orig (-4 / +8 lines)
1333	data_len = WVAL(buf, 1);	1333	data_len = WVAL(buf, 1);
1334		1334
1335	/* we can NOT simply trust the data_len given by the server ... */	1335	/* we can NOT simply trust the data_len given by the server ... */
1336	if (data_len > server->packet_size - (buf+3 - server->packet)) {	1336	if (data_len > count \|\|
		1337	data_len > server->packet_size - (buf+3 - server->packet)) {
1337	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1338	printk(KERN_ERR "smb_proc_read: invalid data length!! "
1338	"%d > %d - (%p - %p)\n",	1339	"%d > %d \|\| %d > %d - (%p - %p)\n",
		1340	data_len, count,
1339	data_len, server->packet_size, buf+3, server->packet);	1341	data_len, server->packet_size, buf+3, server->packet);
1340	result = -EIO;	1342	result = -EIO;
1341	goto out;	1343	goto out;
Lines 1422-1430 Link Here
1422	buf = smb_base(server->packet) + data_off;	1424	buf = smb_base(server->packet) + data_off;
1423		1425
1424	/* we can NOT simply trust the info given by the server ... */	1426	/* we can NOT simply trust the info given by the server ... */
1425	if (data_len > server->packet_size - (buf - server->packet)) {	1427	if (data_len > count \|\|
		1428	data_len > server->packet_size - (buf - server->packet)) {
1426	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1429	printk(KERN_ERR "smb_proc_read: invalid data length!! "
1427	"%d > %d - (%p - %p)\n",	1430	"%d > %d \|\| %d > %d - (%p - %p)\n",
		1431	data_len, count,
1428	data_len, server->packet_size, buf, server->packet);	1432	data_len, server->packet_size, buf, server->packet);
1429	result = -EIO;	1433	result = -EIO;
1430	goto out;	1434	goto out;