Commit 56446f21 authored by Dan Carpenter's avatar Dan Carpenter Committed by Steve French
Browse files

CIFS: fix wrapping bugs in num_entries() 



The problem is that "entryptr + next_offset" and "entryptr + len + size"
can wrap.  I ended up changing the type of "entryptr" because it makes
the math easier when we don't have to do so much casting.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
parent 8ad8aa35

fs/cifs/smb2pdu.c

+15 −10
Original line number Diff line number Diff line
@@ -3577,33 +3577,38 @@ num_entries(char *bufstart, char *end_of_buf, char **lastentry, size_t size) 
	int len;

	unsigned int entrycount = 0;

	unsigned int next_offset = 0;

	FILE_DIRECTORY_INFO *entryptr;

	char *entryptr;

	FILE_DIRECTORY_INFO *dir_info;



	if (bufstart == NULL)

		return 0;



	entryptr = (FILE_DIRECTORY_INFO *)bufstart;

	entryptr = bufstart;



	while (1) {

		entryptr = (FILE_DIRECTORY_INFO *)

					((char *)entryptr + next_offset);



		if ((char *)entryptr + size > end_of_buf) {

		if (entryptr + next_offset < entryptr ||

		    entryptr + next_offset > end_of_buf ||

		    entryptr + next_offset + size > end_of_buf) {

			cifs_dbg(VFS, "malformed search entry would overflow\n");

			break;

		}



		len = le32_to_cpu(entryptr->FileNameLength);

		if ((char *)entryptr + len + size > end_of_buf) {

		entryptr = entryptr + next_offset;

		dir_info = (FILE_DIRECTORY_INFO *)entryptr;



		len = le32_to_cpu(dir_info->FileNameLength);

		if (entryptr + len < entryptr ||

		    entryptr + len > end_of_buf ||

		    entryptr + len + size > end_of_buf) {

			cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\n",

				 end_of_buf);

			break;

		}



		*lastentry = (char *)entryptr;

		*lastentry = entryptr;

		entrycount++;



		next_offset = le32_to_cpu(entryptr->NextEntryOffset);

		next_offset = le32_to_cpu(dir_info->NextEntryOffset);

		if (!next_offset)

			break;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE