+++ /dev/null
-From 6dea74489dfe3229e87459cc7d017ee09f1cfa6a Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon, 10 Sep 2018 14:12:07 +0300
-Subject: cifs: integer overflow in in SMB2_ioctl()
-
-[ Upstream commit 2d204ee9d671327915260071c19350d84344e096 ]
-
-The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
-wrap around to a smaller value which looks like it would lead to an
-information leak.
-
-Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Reviewed-by: Aurelien Aptel <aaptel@suse.com>
-CC: Stable <stable@vger.kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/cifs/smb2pdu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
-index 2667de60b2cb..acc91bda11ad 100644
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -1384,14 +1384,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
- /* We check for obvious errors in the output buffer length and offset */
- if (*plen == 0)
- goto ioctl_exit; /* server returned no data */
-- else if (*plen > 0xFF00) {
-+ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
- *plen = 0;
- rc = -EIO;
- goto ioctl_exit;
- }
-
-- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
-+ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
- cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
- le32_to_cpu(rsp->OutputOffset));
- *plen = 0;
---
-2.19.1
-
-cifs-integer-overflow-in-in-smb2_ioctl.patch
+++ /dev/null
-From fc99a1748ead3571a3580749ade3550d0b55a7d4 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon, 10 Sep 2018 14:12:07 +0300
-Subject: cifs: integer overflow in in SMB2_ioctl()
-
-[ Upstream commit 2d204ee9d671327915260071c19350d84344e096 ]
-
-The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
-wrap around to a smaller value which looks like it would lead to an
-information leak.
-
-Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Reviewed-by: Aurelien Aptel <aaptel@suse.com>
-CC: Stable <stable@vger.kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/cifs/smb2pdu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
-index f7111bb88ec1..14c65942adc6 100644
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -1589,14 +1589,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
- /* We check for obvious errors in the output buffer length and offset */
- if (*plen == 0)
- goto ioctl_exit; /* server returned no data */
-- else if (*plen > 0xFF00) {
-+ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
- *plen = 0;
- rc = -EIO;
- goto ioctl_exit;
- }
-
-- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
-+ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
- cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
- le32_to_cpu(rsp->OutputOffset));
- *plen = 0;
---
-2.19.1
-
asoc-sta32x-set-component-pointer-in-private-struct.patch
-cifs-integer-overflow-in-in-smb2_ioctl.patch
+++ /dev/null
-From d36213fb2022ea7e97b880f0925c29efdbbcca1e Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Mon, 10 Sep 2018 14:12:07 +0300
-Subject: cifs: integer overflow in in SMB2_ioctl()
-
-[ Upstream commit 2d204ee9d671327915260071c19350d84344e096 ]
-
-The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
-wrap around to a smaller value which looks like it would lead to an
-information leak.
-
-Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Reviewed-by: Aurelien Aptel <aaptel@suse.com>
-CC: Stable <stable@vger.kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/cifs/smb2pdu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
-index 50251a8af0ce..eae97d169351 100644
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -1742,14 +1742,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
- /* We check for obvious errors in the output buffer length and offset */
- if (*plen == 0)
- goto ioctl_exit; /* server returned no data */
-- else if (*plen > 0xFF00) {
-+ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
- cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
- *plen = 0;
- rc = -EIO;
- goto ioctl_exit;
- }
-
-- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
-+ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
- cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
- le32_to_cpu(rsp->OutputOffset));
- *plen = 0;
---
-2.19.1
-
block-fix-infinite-loop-if-the-device-loses-discard-.patch
asoc-sta32x-set-component-pointer-in-private-struct.patch
ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch
-cifs-integer-overflow-in-in-smb2_ioctl.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
