cifs: Fix potential OOB access of lock element array (2a71a47e) · Commits · e / devices / android_kernel_oneplus_sm7250

fs/cifs/file.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -1120,10 +1120,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)

		/*
		* Accessing maxBuf is racy with cifs_reconnect - need to store value
		* and check it for zero before using.
		* and check it before using.
		*/
		max_buf = tcon->ses->server->maxBuf;
		if (!max_buf) {
		if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
		free_xid(xid);
		return -EINVAL;
		}
		@@ -1460,10 +1460,10 @@ cifs_unlock_range(struct cifsFileInfo cfile, struct file_lock flock,

		/*
		* Accessing maxBuf is racy with cifs_reconnect - need to store value
		* and check it for zero before using.
		* and check it before using.
		*/
		max_buf = tcon->ses->server->maxBuf;
		if (!max_buf)
		if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
		return -EINVAL;

		max_num = (max_buf - sizeof(struct smb_hdr)) /

+2 −2

Original line number	Diff line number	Diff line
		@@ -122,10 +122,10 @@ smb2_unlock_range(struct cifsFileInfo cfile, struct file_lock flock,

		/*
		* Accessing maxBuf is racy with cifs_reconnect - need to store value
		* and check it for zero before using.
		* and check it before using.
		*/
		max_buf = tcon->ses->server->maxBuf;
		if (!max_buf)
		if (max_buf < sizeof(struct smb2_lock_element))
		return -EINVAL;

		max_num = max_buf / sizeof(struct smb2_lock_element);