Attachment #25459 for bug #61204

View | Details | Raw Unified | Return to bug 61204
Collapse All | Expand All




	data_len = WVAL(buf, 1);

	/* we can NOT simply trust the data_len given by the server ... */
	if (data_len > count ||
		data_len > server->packet_size - (buf+3 - server->packet)) {
		printk(KERN_ERR "smb_proc_read: invalid data length!! "
		       "%d > %d || (%p - %p) + %d > %d\n",
		       data_len, count,
		       buf+3, server->packet, data_len, server->packet_size);
		result = -EIO;
		goto out;
	}

	buf = smb_base(server->packet) + data_off;

	/* we can NOT simply trust the info given by the server ... */
	if (data_len > count ||
		(buf - server->packet) + data_len > server->packet_size) {
		printk(KERN_ERR "smb_proc_readX: invalid data length/offset!! "
		       "%d > %d || (%p - %p) + %d > %d\n",
		       data_len, count,
		       buf, server->packet, data_len, server->packet_size);
		result = -EIO;
		goto out;
	}

Lines 571-577 Link Here

(-)linux-2.4.27.orig/fs/smbfs/sock.c (-1 / +14 lines)
571	parm_disp, parm_offset, parm_count,	571	parm_disp, parm_offset, parm_count,
572	data_disp, data_offset, data_count);	572	data_disp, data_offset, data_count);
573	*parm = base + parm_offset;	573	*parm = base + parm_offset;
		574	if (*parm - inbuf + parm_tot > server->packet_size)
		575	goto out_bad_parm;
574	*data = base + data_offset;	576	*data = base + data_offset;
		577	if (*data - inbuf + data_tot > server->packet_size)
		578	goto out_bad_data;
575	goto success;	579	goto success;
576	}	580	}
577		581
Lines 591-596 Link Here
591	rcv_buf = smb_vmalloc(buf_len);	595	rcv_buf = smb_vmalloc(buf_len);
592	if (!rcv_buf)	596	if (!rcv_buf)
593	goto out_no_mem;	597	goto out_no_mem;
		598	memset(rcv_buf, 0, buf_len);
		599
594	*parm = rcv_buf;	600	*parm = rcv_buf;
595	*data = rcv_buf + total_p;	601	*data = rcv_buf + total_p;
596	} else if (data_tot > total_d \|\| parm_tot > total_p)	602	} else if (data_tot > total_d \|\| parm_tot > total_p)
Lines 598-605 Link Here
598		604
599	if (parm_disp + parm_count > total_p)	605	if (parm_disp + parm_count > total_p)
600	goto out_bad_parm;	606	goto out_bad_parm;
		607	if (parm_offset + parm_count > server->packet_size)
		608	goto out_bad_parm;
601	if (data_disp + data_count > total_d)	609	if (data_disp + data_count > total_d)
602	goto out_bad_data;	610	goto out_bad_data;
		611	if (data_offset + data_count > server->packet_size)
		612	goto out_bad_data;
603	memcpy(*parm + parm_disp, base + parm_offset, parm_count);	613	memcpy(*parm + parm_disp, base + parm_offset, parm_count);
604	memcpy(*data + data_disp, base + data_offset, data_count);	614	memcpy(*data + data_disp, base + data_offset, data_count);
605		615
Lines 610-617 Link Here
610	* Check whether we've received all of the data. Note that	620	* Check whether we've received all of the data. Note that
611	* we use the packet totals -- total lengths might shrink!	621	* we use the packet totals -- total lengths might shrink!
612	*/	622	*/
613	if (data_len >= data_tot && parm_len >= parm_tot)	623	if (data_len >= data_tot && parm_len >= parm_tot) {
		624	data_len = data_tot;
		625	parm_len = parm_tot;
614	break;	626	break;
		627	}
615	}	628	}
616		629
617	/*	630	/*

Return to bug 61204

Lines 1289-1298 Link Here

(-)linux-2.4.27.orig/fs/smbfs/proc.c (-7 / +11 lines)
1289	data_len = WVAL(buf, 1);	1289	data_len = WVAL(buf, 1);
1290		1290
1291	/* we can NOT simply trust the data_len given by the server ... */	1291	/* we can NOT simply trust the data_len given by the server ... */
1292	if (data_len > server->packet_size - (buf+3 - server->packet)) {	1292	if (data_len > count \|\|
		1293	data_len > server->packet_size - (buf+3 - server->packet)) {
1293	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1294	printk(KERN_ERR "smb_proc_read: invalid data length!! "
1294	"%d > %d - (%p - %p)\n",	1295	"%d > %d \|\| (%p - %p) + %d > %d\n",
1295	data_len, server->packet_size, buf+3, server->packet);	1296	data_len, count,
		1297	buf+3, server->packet, data_len, server->packet_size);
1296	result = -EIO;	1298	result = -EIO;
1297	goto out;	1299	goto out;
1298	}	1300	}
Lines 1378-1387 Link Here
1378	buf = smb_base(server->packet) + data_off;	1380	buf = smb_base(server->packet) + data_off;
1379		1381
1380	/* we can NOT simply trust the info given by the server ... */	1382	/* we can NOT simply trust the info given by the server ... */
1381	if (data_len > server->packet_size - (buf - server->packet)) {	1383	if (data_len > count \|\|
1382	printk(KERN_ERR "smb_proc_read: invalid data length!! "	1384	(buf - server->packet) + data_len > server->packet_size) {
1383	"%d > %d - (%p - %p)\n",	1385	printk(KERN_ERR "smb_proc_readX: invalid data length/offset!! "
1384	data_len, server->packet_size, buf, server->packet);	1386	"%d > %d \|\| (%p - %p) + %d > %d\n",
		1387	data_len, count,
		1388	buf, server->packet, data_len, server->packet_size);
1385	result = -EIO;	1389	result = -EIO;
1386	goto out;	1390	goto out;
1387	}	1391	}