projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 469cb8aa GKH |
1 | From e3d240e9d505fc67f8f8735836df97a794bbd946 Mon Sep 17 00:00:00 2001 |
| 2 | From: Pavel Shilovsky <pshilov@microsoft.com> | |
| 3 | Date: Tue, 29 Nov 2016 16:14:43 -0800 | |
| 4 | Subject: CIFS: Fix a possible memory corruption in push locks | |
| 5 | ||
| 6 | From: Pavel Shilovsky <pshilov@microsoft.com> | |
| 7 | ||
| 8 | commit e3d240e9d505fc67f8f8735836df97a794bbd946 upstream. | |
| 9 | ||
| 10 | If maxBuf is not 0 but less than a size of SMB2 lock structure | |
| 11 | we can end up with a memory corruption. | |
| 12 | ||
| 13 | Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> | |
| 14 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 15 | ||
| 16 | --- | |
| 17 | fs/cifs/smb2file.c | 2 +- | |
| 18 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
| 19 | ||
| 20 | --- a/fs/cifs/smb2file.c | |
| 21 | +++ b/fs/cifs/smb2file.c | |
| 22 | @@ -260,7 +260,7 @@ smb2_push_mandatory_locks(struct cifsFil | |
| 23 | * and check it for zero before using. | |
| 24 | */ | |
| 25 | max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf; | |
| 26 | - if (!max_buf) { | |
| 27 | + if (max_buf < sizeof(struct smb2_lock_element)) { | |
| 28 | free_xid(xid); | |
| 29 | return -EINVAL; | |
| 30 | } |