[PATCH] cifs: improve check for search entry going beyond end of SMB transact

=======================================

Informational pseudo-files:

DebugData		Displays information about active CIFS sessions

			and shares.

			and shares, as well as the cifs.ko version.

Stats			Lists summary resource usage information as well as per

			share statistics, if CONFIG_CIFS_STATS in enabled

			in the kernel configuration.

Two other experimental features are under development and to test 

require enabling CONFIG_CIFS_EXPERIMENTAL

	More efficient write operations and SMB buffer handling

	More efficient write operations

	DNOTIFY fcntl: needed for support of directory change 

			    notification and perhaps later for file leases)

Also note that "cat /proc/fs/cifs/DebugData" will display information about 

the active sessions and the shares that are mounted.  Note: NTLMv2 enablement 

will not work since they its implementation is not quite complete yet.

Do not alter these configuration values unless you are doing specific testing.  

will not work since its implementation is not quite complete yet. Do not alter

the ExtendedSecurity configuration value unless you are doing specific testing.

Enabling extended security works to Windows 2000 Workstations and XP but not to 

Windows 2000 server or Samba since it does not usually send "raw NTLMSSP" 

(instead it sends NTLMSSP encapsulated in SPNEGO/GSSAPI, which support is not 

		}

	}

	write_unlock(&GlobalSMBSeslock);

	/* BB Add call to invalidate_inodes(sb) for all superblocks mounted to this tcon */

	/* BB Add call to invalidate_inodes(sb) for all superblocks mounted

	   to this tcon */

}

/* If the return code is zero, this function must fill in request_buf pointer */

					   (tcon->ses->status == CifsExiting)) {

						cFYI(1,("gave up waiting on reconnect in smb_init"));

						return -EHOSTDOWN;

					} /* else "hard" mount - keep retrying until 

					process is killed or server comes back up */

					} /* else "hard" mount - keep retrying

					     until process is killed or server

					     comes back on-line */

				} else /* TCP session is reestablished now */

					break;

		simultaneously reconnect the same SMB session */

			down(&tcon->ses->sesSem);

			if(tcon->ses->status == CifsNeedReconnect)

				rc = cifs_setup_session(0, tcon->ses, nls_codepage);

				rc = cifs_setup_session(0, tcon->ses, 

							nls_codepage);

			if(!rc && (tcon->tidStatus == CifsNeedReconnect)) {

				mark_open_files_invalid(tcon);

				rc = CIFSTCon(0, tcon->ses, tcon->treeName, tcon,

					nls_codepage);

				rc = CIFSTCon(0, tcon->ses, tcon->treeName, tcon

					, nls_codepage);

				up(&tcon->ses->sesSem);

				if(rc == 0)

					atomic_inc(&tconInfoReconnectCount);

			while(tcon->ses->server->tcpStatus == CifsNeedReconnect) {

				wait_event_interruptible_timeout(tcon->ses->server->response_q,

					(tcon->ses->server->tcpStatus == CifsGood), 10 * HZ);

				if(tcon->ses->server->tcpStatus == CifsNeedReconnect) {

				if(tcon->ses->server->tcpStatus == 

						CifsNeedReconnect) {

					/* on "soft" mounts we wait once */

					if((tcon->retry == FALSE) || 

					   (tcon->ses->status == CifsExiting)) {

						cFYI(1,("gave up waiting on reconnect in smb_init"));

						return -EHOSTDOWN;

					} /* else "hard" mount - keep retrying until 

					process is killed or server comes back up */

					} /* else "hard" mount - keep retrying

					     until process is killed or server

					     comes on-line */

				} else /* TCP session is reestablished now */

					break;

		simultaneously reconnect the same SMB session */

			down(&tcon->ses->sesSem);

			if(tcon->ses->status == CifsNeedReconnect)

				rc = cifs_setup_session(0, tcon->ses, nls_codepage);

				rc = cifs_setup_session(0, tcon->ses, 

							nls_codepage);

			if(!rc && (tcon->tidStatus == CifsNeedReconnect)) {

				mark_open_files_invalid(tcon);

				rc = CIFSTCon(0, tcon->ses, tcon->treeName, tcon,

					nls_codepage);

				rc = CIFSTCon(0, tcon->ses, tcon->treeName,

					      tcon, nls_codepage);

				up(&tcon->ses->sesSem);

				if(rc == 0)

					atomic_inc(&tconInfoReconnectCount);

			if(total_size < 512) {

				total_size+=le16_to_cpu(pSMB->t2_rsp.DataCount);

				/* BCC le converted in SendReceive */

				pBCC = (pSMB->hdr.WordCount * 2) + sizeof(struct smb_hdr) + 

				pBCC = (pSMB->hdr.WordCount * 2) + 

					sizeof(struct smb_hdr) +

					(char *)pSMB;

				if((total_size <= (*(u16 *)pBCC)) && 

				   (total_size < 

			 (struct smb_hdr *) pSMBr, &bytes_returned, 0);

	if (rc == 0) {

		server->secMode = pSMBr->SecurityMode;	

		server->secType = NTLM; /* BB override default for NTLMv2 or krb*/

		/* one byte - no need to convert this or EncryptionKeyLen from le,*/

		server->secType = NTLM; /* BB override default for 

					   NTLMv2 or kerberos v5 */

		/* one byte - no need to convert this or EncryptionKeyLen

		   from little endian */

		server->maxReq = le16_to_cpu(pSMBr->MaxMpxCount);

		/* probably no need to store and check maxvcs */

		server->maxBuf =

		up(&tcon->tconSem);

		return -EIO;

	}

	rc = small_smb_init(SMB_COM_TREE_DISCONNECT, 0, tcon, (void **)&smb_buffer);

	rc = small_smb_init(SMB_COM_TREE_DISCONNECT, 0, tcon, 

			    (void **)&smb_buffer);

	if (rc) {

		up(&tcon->tconSem);

		return rc;

				     PATH_MAX, nls_codepage, remap);

		name_len++;	/* trailing null */

		name_len *= 2;

	} else {		/* BB improve the check for buffer overruns BB */

	} else {		/* BB improve check for buffer overruns BB */

		name_len = strnlen(fileName, PATH_MAX);

		name_len++;	/* trailing null */

		strncpy(pSMB->fileName, fileName, name_len);

					 PATH_MAX, nls_codepage, remap);

		name_len++;	/* trailing null */

		name_len *= 2;

	} else {		/* BB improve the check for buffer overruns BB */

	} else {		/* BB improve check for buffer overruns BB */

		name_len = strnlen(dirName, PATH_MAX);

		name_len++;	/* trailing null */

		strncpy(pSMB->DirName, dirName, name_len);

					    PATH_MAX, nls_codepage, remap);

		name_len++;	/* trailing null */

		name_len *= 2;

	} else {		/* BB improve the check for buffer overruns BB */

	} else {		/* BB improve check for buffer overruns BB */

		name_len = strnlen(name, PATH_MAX);

		name_len++;	/* trailing null */

		strncpy(pSMB->DirName, name, name_len);

		name_len++;	/* trailing null */

		name_len *= 2;

		pSMB->NameLength = cpu_to_le16(name_len);

	} else {		/* BB improve the check for buffer overruns BB */

	} else {		/* BB improve check for buffer overruns BB */

		count = 0;	/* no pad */

		name_len = strnlen(fileName, PATH_MAX);

		name_len++;	/* trailing null */

	pSMB->ShareAccess = cpu_to_le32(FILE_SHARE_ALL);

	pSMB->CreateDisposition = cpu_to_le32(openDisposition);

	pSMB->CreateOptions = cpu_to_le32(create_options);

	pSMB->ImpersonationLevel = cpu_to_le32(SECURITY_IMPERSONATION);	/* BB ??*/

	/* BB Expirement with various impersonation levels and verify */

	pSMB->ImpersonationLevel = cpu_to_le32(SECURITY_IMPERSONATION);

	pSMB->SecurityFlags =

	    SECURITY_CONTEXT_TRACKING | SECURITY_EFFECTIVE_ONLY;

	if (rc) {

		cFYI(1, ("Error in Open = %d", rc));

	} else {

		*pOplock = pSMBr->OplockLevel;	/* one byte no need to le_to_cpu */

		*pOplock = pSMBr->OplockLevel; /* 1 byte no need to le_to_cpu */

		*netfid = pSMBr->Fid;	/* cifs fid stays in le */

		/* Let caller know file was created so we can set the mode. */

		/* Do we care about the CreateAction in any other cases? */

			psrch_inf->srch_entries_start = 

				(char *) &pSMBr->hdr.Protocol + 

					le16_to_cpu(pSMBr->t2.DataOffset);

/* if(le16_to_cpu(pSMBr->t2.DataCount) != le16_to_cpu(pSMBr->t2.TotalDataCount)) {  

	cERROR(1,("DC: %d TDC: %d",pSMBr->t2.DataCount,pSMBr->t2.TotalDataCount));

} */ /* BB removeme BB */

			parms = (T2_FFIRST_RSP_PARMS *)((char *) &pSMBr->hdr.Protocol +

			       le16_to_cpu(pSMBr->t2.ParameterOffset));

			psrch_inf->entries_in_buffer  = le16_to_cpu(parms->SearchCount);

			psrch_inf->index_of_last_entry = 

				psrch_inf->entries_in_buffer;

/*cFYI(1,("entries in buf %d index_of_last %d",psrch_inf->entries_in_buffer,psrch_inf->index_of_last_entry));  */

/*cFYI(1,("entries in buf %d index_of_last %d",psrch_inf->entries_in_buffer,psrch_inf->index_of_last_entry));  */ /* BB removeme BB */

			*pnetfid = parms->SearchHandle;

		} else {

			cifs_buf_release(pSMB);

					qhead);

		if(mid_entry) {

			if(mid_entry->midState == MID_REQUEST_SUBMITTED) {

				/* Mark other intransit requests as needing retry so 

				  we do not immediately mark the session bad again 

				  (ie after we reconnect below) as they timeout too */

				/* Mark other intransit requests as needing

				   retry so we do not immediately mark the

				   session bad again (ie after we reconnect

				   below) as they timeout too */

				mid_entry->midState = MID_RETRY_NEEDED;

			}

		}

		} else if (length <= 0) {

			if(server->tcpStatus == CifsNew) {

				cFYI(1,("tcp session abended prematurely (after SMBnegprot)"));

				/* some servers kill tcp session rather than returning

					smb negprot error in which case reconnecting here is

					not going to help - return error to mount */

				/* some servers kill the TCP session rather than

				   returning an SMB negprot error, in which

				   case reconnecting here is not going to help,

				   and so simply return error to mount */

				break;

			}

			if(length == -EINTR) { 

			pdu_length = ntohl(smb_buffer->smb_buf_length);

		/* Only read pdu_length after below checks for too short (due

		   to e.g. int overflow) and too long ie beyond end of buf */

			cFYI(1,("rfc1002 length(big endian)0x%x)", pdu_length+4));

			cFYI(1,("rfc1002 length(big endian)0x%x)",

				pdu_length+4));

			temp = (char *) smb_buffer;

			if (temp[0] == (char) RFC1002_SESSION_KEEP_ALIVE) {

				cFYI(0,("Received 4 byte keep alive packet"));

			} else if (temp[0] == (char) RFC1002_POSITIVE_SESSION_RESPONSE) {

			} else if (temp[0] == 

				(char) RFC1002_POSITIVE_SESSION_RESPONSE) {

					cFYI(1,("Good RFC 1002 session rsp"));

			} else if (temp[0] == (char)RFC1002_NEGATIVE_SESSION_RESPONSE) {

				/* we get this from Windows 98 instead of error on SMB negprot response */

			} else if (temp[0] == 

				(char)RFC1002_NEGATIVE_SESSION_RESPONSE) {

				/* we get this from Windows 98 instead of 

				   an error on SMB negprot response */

				cFYI(1,("Negative RFC 1002 Session Response Error 0x%x)",temp[4]));

				if(server->tcpStatus == CifsNew) {

					/* if nack on negprot (rather than 

					connected to port 139 (the NACK is 

					since we do not begin with RFC1001

					session initialize frame) */

					server->addr.sockAddr.sin_port = htons(CIFS_PORT);

					server->addr.sockAddr.sin_port = 

						htons(CIFS_PORT);

					cifs_reconnect(server);

					csocket = server->ssocket;

					wake_up(&server->response_q);

				csocket = server->ssocket;

				continue;

			} else {

				if((pdu_length > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4)

				    || (pdu_length < sizeof (struct smb_hdr) - 1 - 4)) {

				if((pdu_length > CIFSMaxBufSize + 

					MAX_CIFS_HDR_SIZE - 4) ||

				    (pdu_length < sizeof (struct smb_hdr) - 1 - 4)) {

					cERROR(1,

					    ("Invalid size SMB length %d and pdu_length %d",

						length, pdu_length+4));

					continue;

				}

				/* BB FIXME - add checkTrans2SMBSecondary() */

				task_to_wake = NULL;

				spin_lock(&GlobalMid_Lock);

				list_for_each(tmp, &server->pending_mid_q) {

	read_lock(&GlobalSMBSeslock);

	if (list_empty(&server->pending_mid_q)) {

		/* loop through server session structures attached to this and mark them dead */

		/* loop through server session structures attached to this and

		    mark them dead */

		list_for_each(tmp, &GlobalSMBSessionList) {

			ses =

			    list_entry(tmp, struct cifsSesInfo,

		/* does not have to be a perfect mapping since the field is

		informational, only used for servers that do not support

		port 445 and it can be overridden at mount time */

		vol->source_rfc1001_name[i] = toupper(system_utsname.nodename[i]);

		vol->source_rfc1001_name[i] = 

			toupper(system_utsname.nodename[i]);

	}

	vol->source_rfc1001_name[15] = 0;

			/* NB: password legally can have multiple commas and

			the only illegal character in a password is null */

			if ((value[temp_len] == 0) && (value[temp_len+1] == separator[0])) {

			if ((value[temp_len] == 0) && 

			    (value[temp_len+1] == separator[0])) {

				/* reinsert comma */

				value[temp_len] = separator[0];

				temp_len+=2;  /* move after the second comma */

				while(value[temp_len] != 0)  {

					if (value[temp_len] == separator[0]) {

						if (value[temp_len+1] == separator[0]) {

							temp_len++; /* skip second comma */

						if (value[temp_len+1] == 

						     separator[0]) {

						/* skip second comma */

							temp_len++;

						} else { 

						/* single comma indicating start

							 of next parm */

				}

				for(i=0,j=0;i<temp_len;i++,j++) {

					vol->password[j] = value[i];

					if(value[i] == separator[0] && value[i+1] == separator[0]) {

					if(value[i] == separator[0]

						&& value[i+1] == separator[0]) {

						/* skip second comma */

						i++;

					}

	cFYI(1,("new entry %p old entry %p",new_entry,old_entry));

	/* validate that new_entry is not past end of SMB */

	if(new_entry >= end_of_smb) {

		cFYI(1,("search entry %p began after end of SMB %p old entry %p",

		cERROR(1,

		      ("search entry %p began after end of SMB %p old entry %p",

			new_entry, end_of_smb, old_entry)); 

		return NULL;

	} else if (new_entry + sizeof(FILE_DIRECTORY_INFO) > end_of_smb) {

		cERROR(1,("search entry %p extends after end of SMB %p",

			new_entry, end_of_smb));

		return NULL;

	} else 

		return new_entry;