cifs: clean up unaligned accesses in validate_t2 (12df83c9) · Commits · e / devices / android_kernel_teracube_2e

fs/cifs/cifssmb.c

+23 −21

Original line number	Diff line number	Diff line
		@@ -331,31 +331,33 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon,

		static int validate_t2(struct smb_t2_rsp *pSMB)
		{
		int rc = -EINVAL;
		int total_size;
		unsigned int total_size;

		/* check for plausible wct */
		if (pSMB->hdr.WordCount < 10)
		goto vt2_err;

		/* check for plausible wct, bcc and t2 data and parm sizes */
		/* check for parm and data offset going beyond end of smb */
		if (pSMB->hdr.WordCount >= 10) {
		if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) &&
		(le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) {
		if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 \|\|
		get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
		goto vt2_err;

		/* check that bcc is at least as big as parms + data */
		/* check that bcc is less than negotiated smb buffer */
		total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount);
		if (total_size < 512) {
		total_size +=
		le16_to_cpu(pSMB->t2_rsp.DataCount);
		if (total_size <= get_bcc(&pSMB->hdr) &&
		total_size <
		CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
		total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
		if (total_size >= 512)
		goto vt2_err;

		total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
		if (total_size > get_bcc(&pSMB->hdr) \|\|
		total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
		goto vt2_err;

		return 0;
		}
		}
		}
		}
		vt2_err:
		cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
		sizeof(struct smb_t2_rsp) + 16);
		return rc;
		return -EINVAL;
		}

		int