mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 11:20:49 +07:00
cifs: fix NULL deref in SMB2_read
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> CC: Stable <stable@vger.kernel.org> Signed-off-by: Steve French <smfrench@gmail.com>
This commit is contained in:
parent
328b4ed93b
commit
a821df3f1a
@ -2678,27 +2678,27 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
|
||||
cifs_small_buf_release(req);
|
||||
|
||||
rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
|
||||
shdr = get_sync_hdr(rsp);
|
||||
|
||||
if (shdr->Status == STATUS_END_OF_FILE) {
|
||||
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (rc) {
|
||||
cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
|
||||
cifs_dbg(VFS, "Send error in read = %d\n", rc);
|
||||
} else {
|
||||
*nbytes = le32_to_cpu(rsp->DataLength);
|
||||
if ((*nbytes > CIFS_MAX_MSGSIZE) ||
|
||||
(*nbytes > io_parms->length)) {
|
||||
cifs_dbg(FYI, "bad length %d for count %d\n",
|
||||
*nbytes, io_parms->length);
|
||||
rc = -EIO;
|
||||
*nbytes = 0;
|
||||
if (rc != -ENODATA) {
|
||||
cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
|
||||
cifs_dbg(VFS, "Send error in read = %d\n", rc);
|
||||
}
|
||||
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
|
||||
return rc == -ENODATA ? 0 : rc;
|
||||
}
|
||||
|
||||
*nbytes = le32_to_cpu(rsp->DataLength);
|
||||
if ((*nbytes > CIFS_MAX_MSGSIZE) ||
|
||||
(*nbytes > io_parms->length)) {
|
||||
cifs_dbg(FYI, "bad length %d for count %d\n",
|
||||
*nbytes, io_parms->length);
|
||||
rc = -EIO;
|
||||
*nbytes = 0;
|
||||
}
|
||||
|
||||
shdr = get_sync_hdr(rsp);
|
||||
|
||||
if (*buf) {
|
||||
memcpy(*buf, (char *)shdr + rsp->DataOffset, *nbytes);
|
||||
free_rsp_buf(resp_buftype, rsp_iov.iov_base);
|
||||
|
Loading…
Reference in New Issue
Block a user