|
Lines 588-593
Link Here
|
| 588 |
data_count = WVAL(inbuf, smb_drcnt); |
588 |
data_count = WVAL(inbuf, smb_drcnt); |
| 589 |
|
589 |
|
| 590 |
/* Modify offset for the split header/buffer we use */ |
590 |
/* Modify offset for the split header/buffer we use */ |
|
|
591 |
if (data_offset < hdrlen) |
| 592 |
goto out_bad_data; |
| 593 |
if (parm_offset < hdrlen) |
| 594 |
goto out_bad_parm; |
| 591 |
data_offset -= hdrlen; |
595 |
data_offset -= hdrlen; |
| 592 |
parm_offset -= hdrlen; |
596 |
parm_offset -= hdrlen; |
| 593 |
|
597 |
|
|
Lines 607-612
Link Here
|
| 607 |
req->rq_lparm = parm_count; |
611 |
req->rq_lparm = parm_count; |
| 608 |
req->rq_data = req->rq_buffer + data_offset; |
612 |
req->rq_data = req->rq_buffer + data_offset; |
| 609 |
req->rq_parm = req->rq_buffer + parm_offset; |
613 |
req->rq_parm = req->rq_buffer + parm_offset; |
|
|
614 |
if (parm_offset + parm_count > req->rq_rlen) |
| 615 |
goto out_bad_parm; |
| 616 |
if (data_offset + data_count > req->rq_rlen) |
| 617 |
goto out_bad_data; |
| 610 |
return 0; |
618 |
return 0; |
| 611 |
} |
619 |
} |
| 612 |
|
620 |
|
|
Lines 634-639
Link Here
|
| 634 |
req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); |
642 |
req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); |
| 635 |
if (!req->rq_trans2buffer) |
643 |
if (!req->rq_trans2buffer) |
| 636 |
goto out_no_mem; |
644 |
goto out_no_mem; |
|
|
645 |
memset(req->rq_trans2buffer, 0, buf_len); |
| 637 |
|
646 |
|
| 638 |
req->rq_parm = req->rq_trans2buffer; |
647 |
req->rq_parm = req->rq_trans2buffer; |
| 639 |
req->rq_data = req->rq_trans2buffer + parm_tot; |
648 |
req->rq_data = req->rq_trans2buffer + parm_tot; |
|
Lines 643-650
Link Here
|
| 643 |
|
652 |
|
| 644 |
if (parm_disp + parm_count > req->rq_total_parm) |
653 |
if (parm_disp + parm_count > req->rq_total_parm) |
| 645 |
goto out_bad_parm; |
654 |
goto out_bad_parm; |
|
|
655 |
if (parm_offset + parm_count > req->rq_rlen) |
| 656 |
goto out_bad_parm; |
| 646 |
if (data_disp + data_count > req->rq_total_data) |
657 |
if (data_disp + data_count > req->rq_total_data) |
| 647 |
goto out_bad_data; |
658 |
goto out_bad_data; |
|
|
659 |
if (data_offset + data_count > req->rq_rlen) |
| 660 |
goto out_bad_data; |
| 648 |
|
661 |
|
| 649 |
inbuf = req->rq_buffer; |
662 |
inbuf = req->rq_buffer; |
| 650 |
memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); |
663 |
memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); |
|
Lines 657-664
Link Here
|
| 657 |
* Check whether we've received all of the data. Note that |
670 |
* Check whether we've received all of the data. Note that |
| 658 |
* we use the packet totals -- total lengths might shrink! |
671 |
* we use the packet totals -- total lengths might shrink! |
| 659 |
*/ |
672 |
*/ |
| 660 |
if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) |
673 |
if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) { |
|
|
674 |
req->rq_ldata = data_tot; |
| 675 |
req->rq_lparm = parm_tot; |
| 661 |
return 0; |
676 |
return 0; |
|
|
677 |
} |
| 662 |
return 1; |
678 |
return 1; |
| 663 |
|
679 |
|
| 664 |
out_too_long: |
680 |
out_too_long: |
|
Lines 676-688
Link Here
|
| 676 |
req->rq_errno = -EIO; |
692 |
req->rq_errno = -EIO; |
| 677 |
goto out; |
693 |
goto out; |
| 678 |
out_bad_parm: |
694 |
out_bad_parm: |
| 679 |
printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n", |
695 |
printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n", |
| 680 |
parm_disp, parm_count, parm_tot); |
696 |
parm_disp, parm_count, parm_tot, parm_offset); |
| 681 |
req->rq_errno = -EIO; |
697 |
req->rq_errno = -EIO; |
| 682 |
goto out; |
698 |
goto out; |
| 683 |
out_bad_data: |
699 |
out_bad_data: |
| 684 |
printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n", |
700 |
printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n", |
| 685 |
data_disp, data_count, data_tot); |
701 |
data_disp, data_count, data_tot, data_offset); |
| 686 |
req->rq_errno = -EIO; |
702 |
req->rq_errno = -EIO; |
| 687 |
out: |
703 |
out: |
| 688 |
return req->rq_errno; |
704 |
return req->rq_errno; |