[linux-cifs-client] [PATCH 0/4] cifs: add some bounds checking to CIFSSMBQAllEAs

Jeff Layton jlayton at redhat.com
Mon Jan 11 14:01:57 MST 2010


We had a customer recently report an oops in CIFSSMBQAllEAs. The details
were a little sketchy, but after looking at the oops and the code, I
think the problem was that the QUERY_ALL_EAS response from the server
was malformed and that caused the parser to walk off of the end of the
SMB response.

This patchset is an attempt to prevent that from happening again. The
idea here is to ensure that the lengths contained within the ALL_EAS
response don't go beyond the end of the SMB (as determined by the
ByteCount). I'm making the assumption here that the ByteCount is itself
sane and if it weren't that that would be caught by the validate_t2
call.

I forsee this set as a candidate for 2.6.34. Comments and suggestions
appreciated...

Jeff Layton (4):
  cifs: add parens around smb_var in BCC macros
  cifs: clean up indentation in CIFSSMBQAllEAs
  cifs: rename name_len to list_len in CIFSSMBQAllEAs
  cifs: verify lengths of QueryAllEAs reply

 fs/cifs/cifspdu.h |    6 +-
 fs/cifs/cifssmb.c |  193 +++++++++++++++++++++++++++++-----------------------
 2 files changed, 111 insertions(+), 88 deletions(-)



More information about the linux-cifs-client mailing list