Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b77d753c authored by Steve French's avatar Steve French
Browse files

[CIFS] Check that last search entry resume key is valid 



Jeff's recent patch to add a last_entry field in the search structure
to better construct resume keys did not validate that the server
sent us a plausible pointer to the last entry.  This adds that.

Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 0752f152

fs/cifs/cifssmb.c

+24 −3
Original line number Diff line number Diff line
@@ -3614,6 +3614,8 @@ findFirstRetry: 
		/* BB remember to free buffer if error BB */

		rc = validate_t2((struct smb_t2_rsp *)pSMBr);

		if (rc == 0) {

			unsigned int lnoff;



			if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)

				psrch_inf->unicode = true;

			else
@@ -3636,8 +3638,17 @@ findFirstRetry: 
					le16_to_cpu(parms->SearchCount);

			psrch_inf->index_of_last_entry = 2 /* skip . and .. */ +

				psrch_inf->entries_in_buffer;

			lnoff = le16_to_cpu(parms->LastNameOffset);

			if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <

			      lnoff) {

				cERROR(1, ("ignoring corrupt resume name"));

				psrch_inf->last_entry = NULL;

				return rc;

			}



			psrch_inf->last_entry = psrch_inf->srch_entries_start +

					le16_to_cpu(parms->LastNameOffset);

							lnoff;



			*pnetfid = parms->SearchHandle;

		} else {

			cifs_buf_release(pSMB);
@@ -3727,6 +3738,8 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon, 
		rc = validate_t2((struct smb_t2_rsp *)pSMBr);



		if (rc == 0) {

			unsigned int lnoff;



			/* BB fixme add lock for file (srch_info) struct here */

			if (pSMBr->hdr.Flags2 & SMBFLG2_UNICODE)

				psrch_inf->unicode = true;
@@ -3753,8 +3766,16 @@ int CIFSFindNext(const int xid, struct cifsTconInfo *tcon, 
						le16_to_cpu(parms->SearchCount);

			psrch_inf->index_of_last_entry +=

				psrch_inf->entries_in_buffer;

			psrch_inf->last_entry = psrch_inf->srch_entries_start +

					le16_to_cpu(parms->LastNameOffset);

			lnoff = le16_to_cpu(parms->LastNameOffset);

			if (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE <

			      lnoff) {

				cERROR(1, ("ignoring corrupt resume name"));

				psrch_inf->last_entry = NULL;

				return rc;

			} else

				psrch_inf->last_entry =

					psrch_inf->srch_entries_start + lnoff;



/*  cFYI(1,("fnxt2 entries in buf %d index_of_last %d",

	    psrch_inf->entries_in_buffer, psrch_inf->index_of_last_entry)); */