Previously the code assumed that the ACE that was copied was of a fixed size. Save off the return value from copy_ace and ensure that we apply it correctly to the size and offset. Reported-by: Jian Li <jiali@xxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> --- setcifsacl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setcifsacl.c b/setcifsacl.c index 7f92b91..67dd29c 100644 --- a/setcifsacl.c +++ b/setcifsacl.c @@ -183,7 +183,7 @@ static int ace_set(struct cifs_ntsd *pntsd, struct cifs_ntsd **npntsd, ssize_t *bufsize, struct cifs_ace **cacesptr, int numcaces) { - int i, rc, acessize = 0; + int i, rc, size = 0, acessize = 0; size_t acesoffset; char *acesptr; @@ -193,8 +193,9 @@ ace_set(struct cifs_ntsd *pntsd, struct cifs_ntsd **npntsd, ssize_t *bufsize, acesptr = (char *)*npntsd + acesoffset; for (i = 0; i < numcaces; ++i) { - acessize += copy_ace((struct cifs_ace *)acesptr, cacesptr[i]); - acesptr += sizeof(struct cifs_ace); + size = copy_ace((struct cifs_ace *)acesptr, cacesptr[i]); + acessize += size; + acesptr += size; } copy_sec_desc(pntsd, *npntsd, numcaces, acessize); acesptr = (char *)*npntsd + acesoffset; -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html