diff options
| author | Marios Makassikis <[email protected]> | 2021-05-06 11:40:02 +0900 |
|---|---|---|
| committer | Steve French <[email protected]> | 2021-05-10 19:15:47 -0500 |
| commit | e7735c854880084a6d97e60465f19daa42842eff (patch) | |
| tree | e2978eab92d876060095a65ab514191173749603 | |
| parent | 79caa9606df1504b3b5104457cbb5d759f0e5fae (diff) | |
cifsd: Update out_buf_len in smb2_populate_readdir_entry()
When processing a SMB2 QUERY_DIRECTORY request,
smb2_populate_readdir_entry() is called first to fill the dot/dotdot
entries. This moves the d_info->wptr pointer but out_buf_len remains
unchanged. As a result, reserve_populate_dentry() may end up writing
past the end of the buffer since the bounds checking is done on
invalid values.
Signed-off-by: Marios Makassikis <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>
| -rw-r--r-- | fs/cifsd/smb2pdu.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/cifsd/smb2pdu.c b/fs/cifsd/smb2pdu.c index fec385318ff3..54df9a30bd23 100644 --- a/fs/cifsd/smb2pdu.c +++ b/fs/cifsd/smb2pdu.c @@ -3333,6 +3333,7 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level, d_info->last_entry_offset = d_info->data_count; d_info->data_count += next_entry_offset; + d_info->out_buf_len -= next_entry_offset; d_info->wptr += next_entry_offset; kfree(conv_name); |