2016-07-12 16:55 GMT+03:00 Dan Carpenter <dan.carpenter@xxxxxxxxxx>:
> Hello Pavel Shilovsky,
>
> The patch b42bf88828cd: "CIFS: Implement follow_link for SMB2" from
> Aug 14, 2013, leads to the following static checker warning:
>
> fs/cifs/smb2pdu.c:1408 SMB2_open()
> warn: potentially allocating too little. 77 vs 4
>
> fs/cifs/smb2pdu.c
> 1402 rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
> 1403 rsp = (struct smb2_create_rsp *)iov[0].iov_base;
> 1404
> 1405 if (rc != 0) {
> 1406 cifs_stats_fail_inc(tcon, SMB2_CREATE_HE);
> 1407 if (err_buf)
> 1408 *err_buf = kmemdup(rsp, get_rfc1002_length(rsp) + 4,
>
> I'm not an expert, but these look like it might be controlled from user
> space. How do we know that get_rfc1002_length() returns something large
> enough?
Good catch. err_buf is used by smb2_query_symlink() without any checks
for a buffer size. Thanks!
--
Best regards,
Pavel Shilovsky
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
