cifs: check for bytes_remaining going to zero in CIFS_SessSetup
It's possible that when we go to decode the string area in the SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at that point will mean that it can go "negative" and wrap. Check for a bytes_remaining value of 0, and don't try to decode the string area if that's the case. Cc: stable@kernel.org Reported-and-Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
bfacf2225a
commit
fcda7f4578
1 changed files with 3 additions and 1 deletions
|
@ -916,7 +916,9 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* BB check if Unicode and decode strings */
|
/* BB check if Unicode and decode strings */
|
||||||
if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
|
if (bytes_remaining == 0) {
|
||||||
|
/* no string area to decode, do nothing */
|
||||||
|
} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
|
||||||
/* unicode string area must be word-aligned */
|
/* unicode string area must be word-aligned */
|
||||||
if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
|
if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
|
||||||
++bcc_ptr;
|
++bcc_ptr;
|
||||||
|
|
Loading…
Reference in a new issue