On 8/31/2022 3:52 AM, Zhang Xiaoxu wrote:
v1->v2: fix some bug in ksmbd when handle FSCTL_VALIDATE_NEGOTIATE_INFO
message
Zhang Xiaoxu (3):
cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
ksmbd: Remove the wrong message length check of
FSCTL_VALIDATE_NEGOTIATE_INFO
ksmbd: Fix wrong return value in smb2_ioctl() when wrong out_buf_len
fs/cifs/smb2pdu.c | 4 ++--
fs/ksmbd/smb2pdu.c | 9 ++++-----
2 files changed, 6 insertions(+), 7 deletions(-)
Sorry but these are a NAK from me - they don't actually change
the definition to a variable-length array, they just attempt
to undo the broken "4", in several places. The real fix begins
in smbpdu.h in this line:
__le16 Dialects[4]; --> Dialects[]
Also, the change to ksmbd is incorrect, it is critical to check
that the inbound buffer holds at least enough data to be able
to dereference the DialectCount, followed by a second check
that all the counted array elements are present. Also that
the outbound buffer is large enough to return a single dialect.
Tom.
