Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 252721 Details for
Bug 372701
CVE-2007-5904 Buffer overflow in CIFS VFS
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>
cifs-buffer-overflow-fix.patch.gz (text/plain), 28.15 KB, created by
Jan Lieskovsky
on 2007-11-09 13:40:24 UTC
(
hide
)
Description:
Proposed patch from reporter Przemyslaw Wegrzyn <czaj...@czajsoft.pl>
Filename:
MIME Type:
Creator:
Jan Lieskovsky
Created:
2007-11-09 13:40:24 UTC
Size:
28.15 KB
patch
obsolete
>diff -ruN linux-2.6.23.1.orig/fs/cifs/cifsproto.h linux-2.6.23.1/fs/cifs/cifsproto.h >--- linux-2.6.23.1.orig/fs/cifs/cifsproto.h 2007-11-07 14:45:46.000000000 +0100 >+++ linux-2.6.23.1/fs/cifs/cifsproto.h 2007-11-08 00:30:38.000000000 +0100 >@@ -47,6 +47,7 @@ > extern int SendReceive(const unsigned int /* xid */ , struct cifsSesInfo *, > struct smb_hdr * /* input */ , > struct smb_hdr * /* out */ , >+ unsigned int /* out_buf_size */, > int * /* bytes returned */ , const int long_op); > extern int SendReceive2(const unsigned int /* xid */ , struct cifsSesInfo *, > struct kvec *, int /* nvec to send */, >@@ -55,6 +56,7 @@ > struct cifsTconInfo *, > struct smb_hdr * /* input */ , > struct smb_hdr * /* out */ , >+ unsigned int /* out_buf_size */, > int * /* bytes returned */); > extern int checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length); > extern int is_valid_oplock_break(struct smb_hdr *smb, struct TCP_Server_Info *); >diff -ruN linux-2.6.23.1.orig/fs/cifs/cifssmb.c linux-2.6.23.1/fs/cifs/cifssmb.c >--- linux-2.6.23.1.orig/fs/cifs/cifssmb.c 2007-11-07 14:45:46.000000000 +0100 >+++ linux-2.6.23.1/fs/cifs/cifssmb.c 2007-11-08 00:31:23.000000000 +0100 >@@ -451,8 +451,8 @@ > pSMB->hdr.smb_buf_length += count; > pSMB->ByteCount = cpu_to_le16(count); > >- rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc != 0) > goto neg_err_exit; > >@@ -718,7 +718,7 @@ > } else { > smb_buffer_response = smb_buffer; /* BB removeme BB */ > } >- rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response, >+ rc = SendReceive(xid, tcon->ses, smb_buffer, smb_buffer_response, MAX_CIFS_SMALL_BUFFER_SIZE, > &length, 0); > if (rc) > cFYI(1, ("Tree disconnect failed %d", rc)); >@@ -774,7 +774,7 @@ > > pSMB->AndXCommand = 0xFF; > rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB, >- smb_buffer_response, &length, 0); >+ smb_buffer_response, MAX_CIFS_SMALL_BUFFER_SIZE, &length, 0); > if (ses->server) { > atomic_dec(&ses->server->socketUseCount); > if (atomic_read(&ses->server->socketUseCount) == 0) { >@@ -856,8 +856,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Posix delete returned %d", rc)); > } >@@ -903,8 +903,8 @@ > pSMB->BufferFormat = 0x04; > pSMB->hdr.smb_buf_length += name_len + 1; > pSMB->ByteCount = cpu_to_le16(name_len + 1); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_deletes); > if (rc) { > cFYI(1, ("Error in RMFile = %d", rc)); >@@ -948,8 +948,8 @@ > pSMB->BufferFormat = 0x04; > pSMB->hdr.smb_buf_length += name_len + 1; > pSMB->ByteCount = cpu_to_le16(name_len + 1); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_rmdirs); > if (rc) { > cFYI(1, ("Error in RMDir = %d", rc)); >@@ -992,8 +992,8 @@ > pSMB->BufferFormat = 0x04; > pSMB->hdr.smb_buf_length += name_len + 1; > pSMB->ByteCount = cpu_to_le16(name_len + 1); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_mkdirs); > if (rc) { > cFYI(1, ("Error in Mkdir = %d", rc)); >@@ -1071,8 +1071,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Posix create returned %d", rc)); > goto psx_create_err; >@@ -1232,8 +1232,8 @@ > > pSMB->ByteCount = cpu_to_le16(count); > /* long_op set to 1 to allow for oplock break timeouts */ >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 1); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 1); > cifs_stats_inc(&tcon->num_opens); > if (rc) { > cFYI(1, ("Error in Open = %d", rc)); >@@ -1346,8 +1346,8 @@ > > pSMB->ByteCount = cpu_to_le16(count); > /* long_op set to 1 to allow for oplock break timeouts */ >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 1); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 1); > cifs_stats_inc(&tcon->num_opens); > if (rc) { > cFYI(1, ("Error in Open = %d", rc)); >@@ -1564,8 +1564,8 @@ > pSMBW->ByteCount = cpu_to_le16(byte_count); > } > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, long_op); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, long_op); > cifs_stats_inc(&tcon->num_writes); > if (rc) { > cFYI(1, ("Send error in write = %d", rc)); >@@ -1727,11 +1727,11 @@ > pSMB->ByteCount = cpu_to_le16(count); > > if (waitFlag) { >- rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned); >+ rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned); > } else { >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, timeout); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, timeout); > } > cifs_stats_inc(&tcon->num_locks); > if (rc) { >@@ -1815,11 +1815,11 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > if (waitFlag) { >- rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned); >+ rc = SendReceiveBlockingLock(xid, tcon, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned); > } else { >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, timeout); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, timeout); > } > > if (rc) { >@@ -1882,8 +1882,8 @@ > pSMB->FileID = (__u16) smb_file_id; > pSMB->LastWriteTime = 0xFFFFFFFF; > pSMB->ByteCount = 0; >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_closes); > if (rc) { > if (rc != -EINTR) { >@@ -1955,8 +1955,8 @@ > pSMB->hdr.smb_buf_length += count; > pSMB->ByteCount = cpu_to_le16(count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_renames); > if (rc) { > cFYI(1, ("Send error in rename = %d", rc)); >@@ -2035,8 +2035,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, pTcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, pTcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&pTcon->num_t2renames); > if (rc) { > cFYI(1, ("Send error in Rename (by file handle) = %d", rc)); >@@ -2104,8 +2104,8 @@ > pSMB->hdr.smb_buf_length += count; > pSMB->ByteCount = cpu_to_le16(count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in copy = %d with %d files copied", > rc, le16_to_cpu(pSMBr->CopyCount))); >@@ -2194,8 +2194,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_symlinks); > if (rc) { > cFYI(1, ("Send error in SetPathInfo create symlink = %d", rc)); >@@ -2282,8 +2282,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_hardlinks); > if (rc) { > cFYI(1, ("Send error in SetPathInfo (hard link) = %d", rc)); >@@ -2353,8 +2353,8 @@ > pSMB->hdr.smb_buf_length += count; > pSMB->ByteCount = cpu_to_le16(count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_hardlinks); > if (rc) { > cFYI(1, ("Send error in hard link (NT rename) = %d", rc)); >@@ -2425,8 +2425,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QuerySymLinkInfo = %d", rc)); > } else { >@@ -2587,8 +2587,8 @@ > pSMB->Fid = fid; /* file handle always le */ > pSMB->ByteCount = 0; > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QueryReparseLinkInfo = %d", rc)); > } else { /* decode response */ >@@ -2853,8 +2853,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_acl_get); > if (rc) { > cFYI(1, ("Send error in Query POSIX ACL = %d", rc)); >@@ -2945,8 +2945,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Set POSIX ACL returned %d", rc)); > } >@@ -3005,8 +3005,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->t2.ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("error %d in GetExtAttr", rc)); > } else { >@@ -3165,8 +3165,8 @@ > pSMB->hdr.smb_buf_length += (__u16) name_len; > pSMB->ByteCount = cpu_to_le16(name_len); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QueryInfo = %d", rc)); > } else if (pFinfo) { /* decode response */ >@@ -3260,8 +3260,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QPathInfo = %d", rc)); > } else { /* decode response */ >@@ -3355,8 +3355,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QPathInfo = %d", rc)); > } else { /* decode response */ >@@ -3440,8 +3440,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > > if (rc) { > cFYI(1, ("Send error in FindFileDirInfo = %d", rc)); >@@ -3545,8 +3545,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_ffirst); > > if (rc) {/* BB add logic to retry regular search if Unix search >@@ -3661,8 +3661,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > cifs_stats_inc(&tcon->num_fnext); > if (rc) { > if (rc == -EBADF) { >@@ -3741,8 +3741,8 @@ > pSMBr = (CLOSE_RSP *)pSMB; /* BB removeme BB */ > pSMB->FileID = searchHandle; > pSMB->ByteCount = 0; >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, 0); > if (rc) { > cERROR(1, ("Send error in FindClose = %d", rc)); > } >@@ -3815,8 +3815,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("error %d in QueryInternalInfo", rc)); > } else { >@@ -3934,8 +3934,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in GetDFSRefer = %d", rc)); > } else { /* decode response */ >@@ -4088,8 +4088,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QFSInfo = %d", rc)); > } else { /* decode response */ >@@ -4168,8 +4168,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QFSInfo = %d", rc)); > } else { /* decode response */ >@@ -4248,8 +4248,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cERROR(1, ("Send error in QFSAttributeInfo = %d", rc)); > } else { /* decode response */ >@@ -4318,8 +4318,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QFSDeviceInfo = %d", rc)); > } else { /* decode response */ >@@ -4386,8 +4386,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cERROR(1, ("Send error in QFSUnixInfo = %d", rc)); > } else { /* decode response */ >@@ -4468,8 +4468,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cERROR(1, ("Send error in SETFSUnixInfo = %d", rc)); > } else { /* decode response */ >@@ -4530,8 +4530,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QFSUnixInfo = %d", rc)); > } else { /* decode response */ >@@ -4656,8 +4656,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > parm_data->FileSize = cpu_to_le64(size); > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("SetPathInfo (file size) returned %d", rc)); > } >@@ -4741,8 +4741,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, > ("Send error in SetFileInfo (SetFileSize) = %d", >@@ -4822,8 +4822,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > memcpy(data_offset, data, sizeof(FILE_BASIC_INFO)); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ MAX_CIFS_SMALL_BUFFER_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in Set Time (SetFileInfo) = %d", rc)); > } >@@ -4902,8 +4902,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > memcpy(data_offset, data, sizeof (FILE_BASIC_INFO)); > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("SetPathInfo (times) returned %d", rc)); > } >@@ -4954,8 +4954,8 @@ > pSMB->BufferFormat = 0x04; > pSMB->hdr.smb_buf_length += name_len + 1; > pSMB->ByteCount = cpu_to_le16(name_len + 1); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Error in LegacySetAttr = %d", rc)); > } >@@ -5065,8 +5065,8 @@ > > > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("SetPathInfo (perms) returned %d", rc)); > } >@@ -5119,8 +5119,8 @@ > pSMB->Fid = netfid; /* file handle always le */ > pSMB->ByteCount = 0; > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, -1); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, -1); > if (rc) { > cFYI(1, ("Error in Notify = %d", rc)); > } else { >@@ -5209,8 +5209,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in QueryAllEAs = %d", rc)); > } else { /* decode response */ >@@ -5357,8 +5357,8 @@ > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); > >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("Send error in Query EA = %d", rc)); > } else { /* decode response */ >@@ -5541,8 +5541,8 @@ > pSMB->Reserved4 = 0; > pSMB->hdr.smb_buf_length += byte_count; > pSMB->ByteCount = cpu_to_le16(byte_count); >- rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, >- (struct smb_hdr *) pSMBr, &bytes_returned, 0); >+ rc = SendReceive(xid, tcon->ses, (struct smb_hdr *) pSMB, (struct smb_hdr *) pSMBr, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 0); > if (rc) { > cFYI(1, ("SetPathInfo (EA) returned %d", rc)); > } >diff -ruN linux-2.6.23.1.orig/fs/cifs/connect.c linux-2.6.23.1/fs/cifs/connect.c >--- linux-2.6.23.1.orig/fs/cifs/connect.c 2007-11-07 14:45:46.000000000 +0100 >+++ linux-2.6.23.1/fs/cifs/connect.c 2007-11-08 00:38:40.000000000 +0100 >@@ -2359,7 +2359,7 @@ > pSMB->req_no_secext.ByteCount = cpu_to_le16(count); > > rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, >- &bytes_returned, 1); >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 1); > if (rc) { > /* rc = map_smb_to_linux_error(smb_buffer_response); now done in SendReceive */ > } else if ((smb_buffer_response->WordCount == 3) >@@ -2664,7 +2664,7 @@ > pSMB->req.ByteCount = cpu_to_le16(count); > > rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, >- &bytes_returned, 1); >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 1); > > if (smb_buffer_response->Status.CifsError == > cpu_to_le32(NT_STATUS_MORE_PROCESSING_REQUIRED)) >@@ -3098,7 +3098,7 @@ > pSMB->req.ByteCount = cpu_to_le16(count); > > rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, >- &bytes_returned, 1); >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &bytes_returned, 1); > if (rc) { > /* rc = map_smb_to_linux_error(smb_buffer_response); *//* done in SendReceive now */ > } else if ((smb_buffer_response->WordCount == 3) >@@ -3379,7 +3379,8 @@ > pSMB->hdr.smb_buf_length += count; > pSMB->ByteCount = cpu_to_le16(count); > >- rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, &length, 0); >+ rc = SendReceive(xid, ses, smb_buffer, smb_buffer_response, >+ CIFSMaxBufSize + MAX_CIFS_HDR_SIZE, &length, 0); > > /* if (rc) rc = map_smb_to_linux_error(smb_buffer_response); */ > /* above now done in SendReceive */ >diff -ruN linux-2.6.23.1.orig/fs/cifs/transport.c linux-2.6.23.1/fs/cifs/transport.c >--- linux-2.6.23.1.orig/fs/cifs/transport.c 2007-11-07 14:45:46.000000000 +0100 >+++ linux-2.6.23.1/fs/cifs/transport.c 2007-11-08 00:42:56.000000000 +0100 >@@ -597,6 +597,7 @@ > int > SendReceive(const unsigned int xid, struct cifsSesInfo *ses, > struct smb_hdr *in_buf, struct smb_hdr *out_buf, >+ unsigned int out_buf_size, > int *pbytes_returned, const int long_op) > { > int rc = 0; >@@ -719,7 +720,7 @@ > return rc; > } > >- if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) { >+ if (receive_len > out_buf_size - 4) { > cERROR(1, ("Frame too large received. Length: %d Xid: %d", > receive_len, xid)); > rc = -EIO; >@@ -801,7 +802,8 @@ > static int > send_lock_cancel(const unsigned int xid, struct cifsTconInfo *tcon, > struct smb_hdr *in_buf, >- struct smb_hdr *out_buf) >+ struct smb_hdr *out_buf, >+ unsigned int out_buf_size) > { > int bytes_returned; > struct cifsSesInfo *ses = tcon->ses; >@@ -816,13 +818,14 @@ > pSMB->Timeout = 0; > pSMB->hdr.Mid = GetNextMid(ses->server); > >- return SendReceive(xid, ses, in_buf, out_buf, >+ return SendReceive(xid, ses, in_buf, out_buf, out_buf_size, > &bytes_returned, 0); > } > > int > SendReceiveBlockingLock(const unsigned int xid, struct cifsTconInfo *tcon, > struct smb_hdr *in_buf, struct smb_hdr *out_buf, >+ unsigned int out_buf_size, > int *pbytes_returned) > { > int rc = 0; >@@ -917,7 +920,7 @@ > /* Windows lock. We send a LOCKINGX_CANCEL_LOCK > to cause the blocking lock to return. */ > >- rc = send_lock_cancel(xid, tcon, in_buf, out_buf); >+ rc = send_lock_cancel(xid, tcon, in_buf, out_buf, out_buf_size); > > /* If we get -ENOLCK back the lock may have > already been removed. Don't exit in this case. */ >@@ -963,7 +966,7 @@ > return rc; > } > >- if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) { >+ if (receive_len > out_buf_size - 4) { > cERROR(1, ("Frame too large received. Length: %d Xid: %d", > receive_len, xid)); > rc = -EIO;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=252721">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 372701
: 252721