[linux-cifs-client] [PATCH 0/4] cifs: add some bounds checking to CIFSSMBQAllEAs

[Jeff Layton]

We had a customer recently report an oops in CIFSSMBQAllEAs. The details
were a little sketchy, but after looking at the oops and the code, I
think the problem was that the QUERY_ALL_EAS response from the server
was malformed and that caused the parser to walk off of the end of the
SMB response.

This is the second attempt at this patchset. The main difference a
number of bugfixes in the last patch (mostly problems in pointer math),
and a change in approach in that patch. Rather than checking each entry
against the end of the SMB, the new patch checks that the total length
of the list doesn't go past the end of the SMB, and then checks that
each entry doesn't go past the end of the list.

This patchset is an attempt to prevent that from happening again. The
idea here is to ensure that the lengths contained within the ALL_EAS
response don't go beyond the end of the SMB (as determined by the
ByteCount). I'm making the assumption here that the ByteCount is itself
sane and if it weren't that that would be caught by the validate_t2
call.

I forsee this set as a candidate for 2.6.34. Comments and suggestions
appreciated...

Jeff Layton (4):
  cifs: add parens around smb_var in BCC macros
  cifs: clean up indentation in CIFSSMBQAllEAs
  cifs: rename name_len to list_len in CIFSSMBQAllEAs
  cifs: verify lengths of QueryAllEAs reply

 fs/cifs/cifspdu.h |    6 +-
 fs/cifs/cifssmb.c |  183 ++++++++++++++++++++++++++++-------------------------
 2 files changed, 101 insertions(+), 88 deletions(-)