Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ff8d45c authored by Steve French's avatar Steve French
Browse files

Fix corrupt SMB2 ioctl requests 



We were off by one calculating the length of ioctls in some cases
because the protocol specification for SMB2 ioctl includes a mininum
one byte payload but not all SMB2 ioctl requests actually have
a data buffer to send. We were also not zeroing out the
return buffer (in case of error this is helpful).

Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 959f5854

fs/cifs/smb2pdu.c

+17 −4
Original line number Diff line number Diff line
@@ -1137,6 +1137,7 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, 


	cifs_dbg(FYI, "SMB2 IOCTL\n");



	*out_data = NULL;

	/* zero out returned data len, in case of error */

	if (plen)

		*plen = 0;
@@ -1182,11 +1183,23 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, 
		req->Flags = 0;



	iov[0].iov_base = (char *)req;

	/* 4 for rfc1002 length field */



	/*

	 * If no input data, the size of ioctl struct in

	 * protocol spec still includes a 1 byte data buffer,

	 * but if input data passed to ioctl, we do not

	 * want to double count this, so we do not send

	 * the dummy one byte of data in iovec[0] if sending

	 * input data (in iovec[1]). We also must add 4 bytes

	 * in first iovec to allow for rfc1002 length field.

	 */



	if (indatalen) {

		iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;

		inc_rfc1001_len(req, indatalen - 1);

	} else

		iov[0].iov_len = get_rfc1002_length(req) + 4;



	if (indatalen)

		inc_rfc1001_len(req, indatalen);



	rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);

	rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;