Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Viro <viro@math.psu.edu>2002-02-19 01:58:49 -0800
committerLinus Torvalds <torvalds@penguin.transmeta.com>2002-02-19 01:58:49 -0800
commit93521b61218f9e47bf6f08b3dc1fcdfaaf508699 (patch)
treee29df5024f76fbf426b7fb04fd083368ff0b2bd9
parent3eb2eac73209508364555791e6556cb251f896a5 (diff)
[PATCH] more smbfs buffer overrun fixes
More of the same - some of these guys have stuff after pathname. Overflow checks added.
-rw-r--r--fs/smbfs/proc.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/fs/smbfs/proc.c b/fs/smbfs/proc.c
index 3af99bcac86a..4075626db7a4 100644
--- a/fs/smbfs/proc.c
+++ b/fs/smbfs/proc.c
@@ -1628,11 +1628,21 @@ smb_proc_readdir_short(struct file *filp, void *dirent, filldir_t filldir,
result = smb_simple_encode_path(server, &p, dir, &mask);
if (result < 0)
goto unlock_return;
+ if (p + 3 > (char*)server->packet+server->packet_size) {
+ result = -ENAMETOOLONG;
+ goto unlock_return;
+ }
*p++ = 5;
WSET(p, 0, 0);
p += 2;
first = 0;
} else {
+ if (p + 5 + SMB_STATUS_SIZE >
+ (char*)server->packet + server->packet_size) {
+ result = -ENAMETOOLONG;
+ goto unlock_return;
+ }
+
*p++ = 4;
*p++ = 0;
*p++ = 5;
@@ -2355,6 +2365,10 @@ smb_proc_setattr_core(struct smb_sb_info *server, struct dentry *dentry,
result = smb_simple_encode_path(server, &p, dentry, NULL);
if (result < 0)
goto out;
+ if (p + 2 > (char *)server->packet + server->packet_size) {
+ result = -ENAMETOOLONG;
+ goto out;
+ }
*p++ = 4;
*p++ = 0;
smb_setup_bcc(server, p);