|
|
@@ -331,31 +331,33 @@ smb_init_no_reconnect(int smb_command, int wct, struct cifsTconInfo *tcon,
|
|
|
|
|
|
static int validate_t2(struct smb_t2_rsp *pSMB)
|
|
|
{
|
|
|
- int rc = -EINVAL;
|
|
|
- int total_size;
|
|
|
+ unsigned int total_size;
|
|
|
+
|
|
|
+ /* check for plausible wct */
|
|
|
+ if (pSMB->hdr.WordCount < 10)
|
|
|
+ goto vt2_err;
|
|
|
|
|
|
- /* check for plausible wct, bcc and t2 data and parm sizes */
|
|
|
/* check for parm and data offset going beyond end of smb */
|
|
|
- if (pSMB->hdr.WordCount >= 10) {
|
|
|
- if ((le16_to_cpu(pSMB->t2_rsp.ParameterOffset) <= 1024) &&
|
|
|
- (le16_to_cpu(pSMB->t2_rsp.DataOffset) <= 1024)) {
|
|
|
- /* check that bcc is at least as big as parms + data */
|
|
|
- /* check that bcc is less than negotiated smb buffer */
|
|
|
- total_size = le16_to_cpu(pSMB->t2_rsp.ParameterCount);
|
|
|
- if (total_size < 512) {
|
|
|
- total_size +=
|
|
|
- le16_to_cpu(pSMB->t2_rsp.DataCount);
|
|
|
- if (total_size <= get_bcc(&pSMB->hdr) &&
|
|
|
- total_size <
|
|
|
- CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
|
|
|
- return 0;
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
+ if (get_unaligned_le16(&pSMB->t2_rsp.ParameterOffset) > 1024 ||
|
|
|
+ get_unaligned_le16(&pSMB->t2_rsp.DataOffset) > 1024)
|
|
|
+ goto vt2_err;
|
|
|
+
|
|
|
+ /* check that bcc is at least as big as parms + data */
|
|
|
+ /* check that bcc is less than negotiated smb buffer */
|
|
|
+ total_size = get_unaligned_le16(&pSMB->t2_rsp.ParameterCount);
|
|
|
+ if (total_size >= 512)
|
|
|
+ goto vt2_err;
|
|
|
+
|
|
|
+ total_size += get_unaligned_le16(&pSMB->t2_rsp.DataCount);
|
|
|
+ if (total_size > get_bcc(&pSMB->hdr) ||
|
|
|
+ total_size >= CIFSMaxBufSize + MAX_CIFS_HDR_SIZE)
|
|
|
+ goto vt2_err;
|
|
|
+
|
|
|
+ return 0;
|
|
|
+vt2_err:
|
|
|
cifs_dump_mem("Invalid transact2 SMB: ", (char *)pSMB,
|
|
|
sizeof(struct smb_t2_rsp) + 16);
|
|
|
- return rc;
|
|
|
+ return -EINVAL;
|
|
|
}
|
|
|
|
|
|
int
|
Jeff Layton