]>
Commit | Line | Data |
---|---|---|
469cb8aa GKH |
1 | From e3d240e9d505fc67f8f8735836df97a794bbd946 Mon Sep 17 00:00:00 2001 |
2 | From: Pavel Shilovsky <pshilov@microsoft.com> | |
3 | Date: Tue, 29 Nov 2016 16:14:43 -0800 | |
4 | Subject: CIFS: Fix a possible memory corruption in push locks | |
5 | ||
6 | From: Pavel Shilovsky <pshilov@microsoft.com> | |
7 | ||
8 | commit e3d240e9d505fc67f8f8735836df97a794bbd946 upstream. | |
9 | ||
10 | If maxBuf is not 0 but less than a size of SMB2 lock structure | |
11 | we can end up with a memory corruption. | |
12 | ||
13 | Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com> | |
14 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
15 | ||
16 | --- | |
17 | fs/cifs/smb2file.c | 2 +- | |
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
19 | ||
20 | --- a/fs/cifs/smb2file.c | |
21 | +++ b/fs/cifs/smb2file.c | |
22 | @@ -260,7 +260,7 @@ smb2_push_mandatory_locks(struct cifsFil | |
23 | * and check it for zero before using. | |
24 | */ | |
25 | max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf; | |
26 | - if (!max_buf) { | |
27 | + if (max_buf < sizeof(struct smb2_lock_element)) { | |
28 | free_xid(xid); | |
29 | return -EINVAL; | |
30 | } |