|
Lines 587-592
Link Here
|
| 587 |
data_offset = WVAL(inbuf, smb_droff); |
587 |
data_offset = WVAL(inbuf, smb_droff); |
| 588 |
data_count = WVAL(inbuf, smb_drcnt); |
588 |
data_count = WVAL(inbuf, smb_drcnt); |
| 589 |
|
589 |
|
|
|
590 |
if (data_offset < hdrlen) |
| 591 |
goto out_bad_data; |
| 592 |
if (parm_offset < hdrlen) |
| 593 |
goto out_bad_parm; |
| 594 |
|
| 590 |
/* Modify offset for the split header/buffer we use */ |
595 |
/* Modify offset for the split header/buffer we use */ |
| 591 |
data_offset -= hdrlen; |
596 |
data_offset -= hdrlen; |
| 592 |
parm_offset -= hdrlen; |
597 |
parm_offset -= hdrlen; |
|
Lines 605-610
Link Here
|
| 605 |
data_offset, parm_offset); |
610 |
data_offset, parm_offset); |
| 606 |
req->rq_ldata = data_count; |
611 |
req->rq_ldata = data_count; |
| 607 |
req->rq_lparm = parm_count; |
612 |
req->rq_lparm = parm_count; |
|
|
613 |
|
| 614 |
if (parm_offset + parm_count > req->rq_bufsize) |
| 615 |
goto out_bad_parm; |
| 616 |
if (data_offset + data_count > req->rq_bufsize) |
| 617 |
goto out_bad_data; |
| 618 |
|
| 608 |
req->rq_data = req->rq_buffer + data_offset; |
619 |
req->rq_data = req->rq_buffer + data_offset; |
| 609 |
req->rq_parm = req->rq_buffer + parm_offset; |
620 |
req->rq_parm = req->rq_buffer + parm_offset; |
| 610 |
return 0; |
621 |
return 0; |
|
Lines 634-640
Link Here
|
| 634 |
req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); |
645 |
req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); |
| 635 |
if (!req->rq_trans2buffer) |
646 |
if (!req->rq_trans2buffer) |
| 636 |
goto out_no_mem; |
647 |
goto out_no_mem; |
| 637 |
|
648 |
memset(req->rq_trans2buffer, 0, buf_len); |
|
|
649 |
|
| 638 |
req->rq_parm = req->rq_trans2buffer; |
650 |
req->rq_parm = req->rq_trans2buffer; |
| 639 |
req->rq_data = req->rq_trans2buffer + parm_tot; |
651 |
req->rq_data = req->rq_trans2buffer + parm_tot; |
| 640 |
} else if (req->rq_total_data < data_tot || |
652 |
} else if (req->rq_total_data < data_tot || |
|
Lines 645-651
Link Here
|
| 645 |
goto out_bad_parm; |
657 |
goto out_bad_parm; |
| 646 |
if (data_disp + data_count > req->rq_total_data) |
658 |
if (data_disp + data_count > req->rq_total_data) |
| 647 |
goto out_bad_data; |
659 |
goto out_bad_data; |
|
|
660 |
if (parm_offset + parm_count > req->rq_bufsize) |
| 661 |
goto out_bad_parm; |
| 662 |
if (data_offset + data_count > req->rq_bufsize) |
| 663 |
goto out_bad_data; |
| 648 |
|
664 |
|
|
|
665 |
|
| 649 |
inbuf = req->rq_buffer; |
666 |
inbuf = req->rq_buffer; |
| 650 |
memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); |
667 |
memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); |
| 651 |
memcpy(req->rq_data + data_disp, inbuf + data_offset, data_count); |
668 |
memcpy(req->rq_data + data_disp, inbuf + data_offset, data_count); |
|
Lines 657-664
Link Here
|
| 657 |
* Check whether we've received all of the data. Note that |
674 |
* Check whether we've received all of the data. Note that |
| 658 |
* we use the packet totals -- total lengths might shrink! |
675 |
* we use the packet totals -- total lengths might shrink! |
| 659 |
*/ |
676 |
*/ |
| 660 |
if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) |
677 |
if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) { |
|
|
678 |
req->rq_ldata = data_tot; |
| 679 |
req->rq_lparm = parm_tot; |
| 661 |
return 0; |
680 |
return 0; |
|
|
681 |
} |
| 662 |
return 1; |
682 |
return 1; |
| 663 |
|
683 |
|
| 664 |
out_too_long: |
684 |
out_too_long: |