Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bfacf222 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French
Browse files

cifs: change bleft in decode_unicode_ssetup back to signed type 



The buffer length checks in this function depend on this value being a
signed data type, but 690c522f converted it to an unsigned type.

Also, eliminate a problem with the null termination check in the same
function. cifs_strndup_from_ucs handles that situation correctly
already, and the existing check could potentially lead to a buffer
overrun since it increments bleft without checking to see whether it
falls off the end of the buffer.

Cc: stable@kernel.org
Reported-and-Acked-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent fafc9929

fs/cifs/sess.c

+1 −14
Original line number Diff line number Diff line
@@ -276,7 +276,7 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, 
}



static void

decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,

decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,

		      const struct nls_table *nls_cp)

{

	int len;
@@ -284,19 +284,6 @@ decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses, 


	cFYI(1, "bleft %d", bleft);



	/*

	 * Windows servers do not always double null terminate their final

	 * Unicode string. Check to see if there are an uneven number of bytes

	 * left. If so, then add an extra NULL pad byte to the end of the

	 * response.

	 *

	 * See section 2.7.2 in "Implementing CIFS" for details

	 */

	if (bleft % 2) {

		data[bleft] = 0;

		++bleft;

	}



	kfree(ses->serverOS);

	ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);

	cFYI(1, "serverOS=%s", ses->serverOS);