[PATCH] smbfs protocol fixes

From: <Urban.Widmark@enlight.net>

The memset is because it was previously possible to send always the same CIFS
fragment and use this to increase the data counters.  When the data counter
"exceeds" the amount of bytes expected this will return the buffer only
partially initialised...  With findfirst etc requests this should allow
leaking kernel memory content.

The other thing is that the data is only returned when data_tot and parm_tot
both "exceed" the expected values.  Previously it was possible to create a
sequence of CIFS fragments that allowed exceeding the counters.  The calling
functions then would believe they received a number of bytes that does not fit
into the allocated buffer.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c
index 563f7a19d338c93185ed2416d470d4278b664037..60567c1fe9600fecccf07fd3fdaa644fc27039d2 100644 (file)
--- a/fs/smbfs/request.c
+++ b/fs/smbfs/request.c
@@ -634,6 +634,7 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req)
                req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS);
                if (!req->rq_trans2buffer)
                        goto out_no_mem;
+               memset(req->rq_trans2buffer, 0, buf_len);
 
                req->rq_parm = req->rq_trans2buffer;
                req->rq_data = req->rq_trans2buffer + parm_tot;
@@ -657,8 +658,11 @@ static int smb_recv_trans2(struct smb_sb_info *server, struct smb_request *req)
         * Check whether we've received all of the data. Note that
         * we use the packet totals -- total lengths might shrink!
         */
-       if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot)
+       if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) {
+               req->rq_ldata = data_tot;
+               req->rq_lparm = parm_tot;
                return 0;
+       }
        return 1;
 
 out_too_long: