Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1f630680 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French
Browse files

cifs: deal with id_to_sid embedded sid reply corner case 



A SID could potentially be embedded inside of payload.value if there are
no subauthorities, and the arch has 8 byte pointers. Allow for that
possibility there.

While we're at it, rephrase the "embedding" check in terms of
key->payload to allow for the possibility that the union might change
size in the future.

Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent 7ee0b4c6

fs/cifs/cifsacl.c

+12 −3
Original line number Diff line number Diff line
@@ -57,7 +57,7 @@ cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 
	 * With this however, you must check the datalen before trying to

	 * dereference payload.data!

	 */

	if (prep->datalen <= sizeof(void *)) {

	if (prep->datalen <= sizeof(key->payload)) {

		key->payload.value = 0;

		memcpy(&key->payload.value, prep->data, prep->datalen);

		key->datalen = prep->datalen;
@@ -76,7 +76,7 @@ cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep) 
static inline void

cifs_idmap_key_destroy(struct key *key)

{

	if (key->datalen > sizeof(void *))

	if (key->datalen > sizeof(key->payload))

		kfree(key->payload.data);

}
@@ -216,7 +216,15 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) 
		goto invalidate_key;

	}



	ksid = (struct cifs_sid *)sidkey->payload.data;

	/*

	 * A sid is usually too large to be embedded in payload.value, but if

	 * there are no subauthorities and the host has 8-byte pointers, then

	 * it could be.

	 */

	ksid = sidkey->datalen <= sizeof(sidkey->payload) ?

		(struct cifs_sid *)&sidkey->payload.value :

		(struct cifs_sid *)sidkey->payload.data;



	ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32));

	if (ksid_size > sidkey->datalen) {

		rc = -EIO;
@@ -224,6 +232,7 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) 
			"ksid_size=%u)", __func__, sidkey->datalen, ksid_size);

		goto invalidate_key;

	}



	cifs_copy_sid(ssid, ksid);

out_key_put:

	key_put(sidkey);