smb/client: Fix error code in smb2_aead_req_alloc()

The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work.
We would have to do something similar to the previous line where it's
cast to int and then long.  However, it's simpler to store the return in
an int ret variable.

This bug would eventually result in a crash when dereference the invalid
error pointer.

Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index a3257815e6617f5c3ea53fbe523619cb09d88400..a8f8feeeccb5edaf84b157b6d6228f86cc6d68d5 100644 (file)
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4359,11 +4359,13 @@ static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst
        unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
        unsigned int iv_size = crypto_aead_ivsize(tfm);
        unsigned int len;
+       int ret;
        u8 *p;
 
-       *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
-       if (IS_ERR_VALUE((long)(int)*num_sgs))
-               return ERR_PTR(*num_sgs);
+       ret = cifs_get_num_sgs(rqst, num_rqst, sig);
+       if (ret < 0)
+               return ERR_PTR(ret);
+       *num_sgs = ret;
 
        len = iv_size;
        len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);