Attachment #27397 for bug #61204

View | Details | Raw Unified | Return to bug 61204
Collapse All | Expand All

Lines 1428-1436 smb_proc_readX_data(struct smb_request * Link Here

(-)linux-2.6.8.orig/fs/smbfs/proc.c (-3 / +3 lines)
1428	* So we must first calculate the amount of padding used by the server.	1428	* So we must first calculate the amount of padding used by the server.
1429	*/	1429	*/
1430	data_off -= hdrlen;	1430	data_off -= hdrlen;
1431	if (data_off > SMB_READX_MAX_PAD) {	1431	if (data_off > SMB_READX_MAX_PAD \|\| data_off < 0) {
1432	PARANOIA("offset is larger than max pad!\n");	1432	PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
1433	PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);	1433	PARANOIA("%d > %d \|\| %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
1434	req->rq_rlen = req->rq_bufsize + 1;	1434	req->rq_rlen = req->rq_bufsize + 1;
1435	return;	1435	return;
1436	}	1436	}




	data_count  = WVAL(inbuf, smb_drcnt);

	/* Modify offset for the split header/buffer we use */
	data_offset -= hdrlen;
	parm_offset -= hdrlen;

	if (parm_count == parm_tot && data_count == data_tot) {
		/*

		 * case. It may be a server error to not return a
		 * response that fits.
		 */
		/* _count = 0 is a special case, where data_offset is
		 * not used.
		 */
		if (data_count != 0) {
			if (data_offset < hdrlen)
				goto out_bad_data;
			/* Modify offset for the split header/buffer we use */
			data_offset -= hdrlen;
			if (data_offset + data_count > req->rq_rlen)
				goto out_bad_data;
			req->rq_ldata = data_count;
			req->rq_data = req->rq_buffer + data_offset;
		} else {
			req->rq_data  = NULL;
			req->rq_ldata = 0;
		}

		if (parm_count != 0) {
			if (parm_offset < hdrlen)
				goto out_bad_parm;
			/* Modify offset for the split header/buffer we use */
			parm_offset  -= hdrlen;
			if (parm_offset + parm_count > req->rq_rlen)
				goto out_bad_parm;
			req->rq_lparm = parm_count;
			req->rq_parm  = req->rq_buffer + parm_offset;
		} else {
			req->rq_lparm = 0;
			req->rq_parm  = NULL;
		}

		VERBOSE("single trans2 response  "
			"dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
			data_count, parm_count,
			data_offset, parm_offset);
		req->rq_ldata = data_count;
		req->rq_lparm = parm_count;
		req->rq_data = req->rq_buffer + data_offset;
		req->rq_parm = req->rq_buffer + parm_offset;
		return 0;
	}

	if (data_offset < hdrlen)
		goto out_bad_data;
	if (parm_offset < hdrlen)
		goto out_bad_parm;
	parm_offset -= hdrlen;
	data_offset -= hdrlen;


	VERBOSE("multi trans2 response  "
		"frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
		req->rq_fragment,

		req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
		if (!req->rq_trans2buffer)
			goto out_no_mem;
		memset(req->rq_trans2buffer, 0, buf_len);

		req->rq_parm = req->rq_trans2buffer;
		req->rq_data = req->rq_trans2buffer + parm_tot;


	if (parm_disp + parm_count > req->rq_total_parm)
		goto out_bad_parm;
	if (parm_offset + parm_count > req->rq_rlen)
		goto out_bad_parm;
	if (data_disp + data_count > req->rq_total_data)
		goto out_bad_data;
	if (data_offset + data_count > req->rq_rlen)
		goto out_bad_data;

	inbuf = req->rq_buffer;
	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);

	 * Check whether we've received all of the data. Note that
	 * we use the packet totals -- total lengths might shrink!
	 */
	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
		req->rq_ldata = data_tot;
		req->rq_lparm = parm_tot;
		return 0;
	}
	return 1;

out_too_long:

	req->rq_errno = -EIO;
	goto out;
out_bad_parm:
	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
	       parm_disp, parm_count, parm_tot, parm_offset);
	req->rq_errno = -EIO;
	goto out;
out_bad_data:
	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
	       data_disp, data_count, data_tot, data_offset);
	req->rq_errno = -EIO;
out:
	return req->rq_errno;

Return to bug 61204

Lines 588-595 Link Here

(-)linux-2.6.8.orig/fs/smbfs/request.c (-12 / +52 lines)
588	data_count = WVAL(inbuf, smb_drcnt);	588	data_count = WVAL(inbuf, smb_drcnt);
589		589
590	/* Modify offset for the split header/buffer we use */
591	data_offset -= hdrlen;
592	parm_offset -= hdrlen;
593		590
594	if (parm_count == parm_tot && data_count == data_tot) {	591	if (parm_count == parm_tot && data_count == data_tot) {
595	/*	592	/*
Lines 599-615 Link Here
599	* case. It may be a server error to not return a	597	* case. It may be a server error to not return a
600	* response that fits.	598	* response that fits.
601	*/	599	*/
		600	/* _count = 0 is a special case, where data_offset is
		601	* not used.
		602	*/
		603	if (data_count != 0) {
		604	if (data_offset < hdrlen)
		605	goto out_bad_data;
		606	/* Modify offset for the split header/buffer we use */
		607	data_offset -= hdrlen;
		608	if (data_offset + data_count > req->rq_rlen)
		609	goto out_bad_data;
		610	req->rq_ldata = data_count;
		611	req->rq_data = req->rq_buffer + data_offset;
		612	} else {
		613	req->rq_data = NULL;
		614	req->rq_ldata = 0;
		615	}
		616
		617	if (parm_count != 0) {
		618	if (parm_offset < hdrlen)
		619	goto out_bad_parm;
		620	/* Modify offset for the split header/buffer we use */
		621	parm_offset -= hdrlen;
		622	if (parm_offset + parm_count > req->rq_rlen)
		623	goto out_bad_parm;
		624	req->rq_lparm = parm_count;
		625	req->rq_parm = req->rq_buffer + parm_offset;
		626	} else {
		627	req->rq_lparm = 0;
		628	req->rq_parm = NULL;
		629	}
		630
602	VERBOSE("single trans2 response "	631	VERBOSE("single trans2 response "
603	"dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",	632	"dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
604	data_count, parm_count,	633	data_count, parm_count,
605	data_offset, parm_offset);	634	data_offset, parm_offset);
606	req->rq_ldata = data_count;
607	req->rq_lparm = parm_count;
608	req->rq_data = req->rq_buffer + data_offset;
609	req->rq_parm = req->rq_buffer + parm_offset;
610	return 0;	635	return 0;
611	}	636	}
612		637
		638	if (data_offset < hdrlen)
		639	goto out_bad_data;
		640	if (parm_offset < hdrlen)
		641	goto out_bad_parm;
		642	parm_offset -= hdrlen;
		643	data_offset -= hdrlen;
		644
		645
613	VERBOSE("multi trans2 response "	646	VERBOSE("multi trans2 response "
614	"frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",	647	"frag=%d, dcnt=%d, pcnt=%d, doff=%d, poff=%d\n",
615	req->rq_fragment,	648	req->rq_fragment,
Lines 634-639 Link Here
634	req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);	665	req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
635	if (!req->rq_trans2buffer)	666	if (!req->rq_trans2buffer)
636	goto out_no_mem;	667	goto out_no_mem;
		668	memset(req->rq_trans2buffer, 0, buf_len);
637		669
638	req->rq_parm = req->rq_trans2buffer;	670	req->rq_parm = req->rq_trans2buffer;
639	req->rq_data = req->rq_trans2buffer + parm_tot;	671	req->rq_data = req->rq_trans2buffer + parm_tot;
Lines 643-650 Link Here
643		675
644	if (parm_disp + parm_count > req->rq_total_parm)	676	if (parm_disp + parm_count > req->rq_total_parm)
645	goto out_bad_parm;	677	goto out_bad_parm;
		678	if (parm_offset + parm_count > req->rq_rlen)
		679	goto out_bad_parm;
646	if (data_disp + data_count > req->rq_total_data)	680	if (data_disp + data_count > req->rq_total_data)
647	goto out_bad_data;	681	goto out_bad_data;
		682	if (data_offset + data_count > req->rq_rlen)
		683	goto out_bad_data;
648		684
649	inbuf = req->rq_buffer;	685	inbuf = req->rq_buffer;
650	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);	686	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
Lines 657-664 Link Here
657	* Check whether we've received all of the data. Note that	693	* Check whether we've received all of the data. Note that
658	* we use the packet totals -- total lengths might shrink!	694	* we use the packet totals -- total lengths might shrink!
659	*/	695	*/
660	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot)	696	if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
		697	req->rq_ldata = data_tot;
		698	req->rq_lparm = parm_tot;
661	return 0;	699	return 0;
		700	}
662	return 1;	701	return 1;
663		702
664	out_too_long:	703	out_too_long:
Lines 676-688 Link Here
676	req->rq_errno = -EIO;	715	req->rq_errno = -EIO;
677	goto out;	716	goto out;
678	out_bad_parm:	717	out_bad_parm:
679	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",	718	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
680	parm_disp, parm_count, parm_tot);	719	parm_disp, parm_count, parm_tot, parm_offset);
681	req->rq_errno = -EIO;	720	req->rq_errno = -EIO;
682	goto out;	721	goto out;
683	out_bad_data:	722	out_bad_data:
684	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",	723	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
685	data_disp, data_count, data_tot);	724	data_disp, data_count, data_tot, data_offset);
686	req->rq_errno = -EIO;	725	req->rq_errno = -EIO;
687	out:	726	out:
688	return req->rq_errno;	727	return req->rq_errno;