On Mon, 2016-12-05 at 13:11 -0800, Pavel Shilovsky wrote:
> If maxBuf is not 0 but less than a size of SMB2 lock structure
> we can end up with a memory corruption.
>
> Cc: Stable <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Pavel Shilovsky <pshilov@xxxxxxxxxxxxx>
Acked-by: Sachin Prabhu <sprabhu@xxxxxxxxxx>
> ---
> fs/cifs/smb2file.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
> index f9e766f..b2aff0c 100644
> --- a/fs/cifs/smb2file.c
> +++ b/fs/cifs/smb2file.c
> @@ -260,7 +260,7 @@ smb2_push_mandatory_locks(struct cifsFileInfo
> *cfile)
> * and check it for zero before using.
> */
> max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf;
> - if (!max_buf) {
> + if (max_buf < sizeof(struct smb2_lock_element)) {
> free_xid(xid);
> return -EINVAL;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
