Bugfixes for 2.6.38

Fix memory over bound bug in cifs_parse_mount_options + stable updates

Bugfixes for 2.6.38
f242e285 · Pavel Shilovsky · 0f70d52c · f242e285 · f242e285 · f242e285
Commit f242e285 authored May 12, 2011 by Pavel Shilovsky
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 9 deletions

cifsencrypt.c sources/2.6.38/cifsencrypt.c +9 -6

cifsfs.c sources/2.6.38/cifsfs.c +1 -0

connect.c sources/2.6.38/connect.c +4 -3

file.c sources/2.6.38/file.c +2 -0

No files found.
--- a/sources/2.6.38/cifsencrypt.c
+++ b/sources/2.6.38/cifsencrypt.c
@@ -30,12 +30,13 @@
 #include <linux/ctype.h>
 #include <linux/random.h>
-/* Calculate and return the CIFS signature based on the mac key and SMB PDU */
+/*
-/* the 16 byte signature must be allocated by the caller  */
+ * Calculate and return the CIFS signature based on the mac key and SMB PDU.
-/* Note we only use the 1st eight bytes */
+ * The 16 byte signature must be allocated by the caller. Note we only use the
-/* Note that the smb header signature field on input contains the
+ * 1st eight bytes and that the smb header signature field on input contains
-	sequence number before this function is called */
+ * the sequence number before this function is called. Also, this function
+ * should be called with the server->srv_mutex held.
+ */
 static int cifs_calculate_signature(const struct smb_hdr *cifs_pdu,
 				struct TCP_Server_Info *server, char *signature)
 {
@@ -209,8 +210,10 @@ int cifs_verify_signature(struct smb_hdr *cifs_pdu,
 					cpu_to_le32(expected_sequence_number);
 	cifs_pdu->Signature.Sequence.Reserved = 0;
+	mutex_lock(&server->srv_mutex);
 	rc = cifs_calculate_signature(cifs_pdu, server,
 		what_we_think_sig_should_be);
+	mutex_unlock(&server->srv_mutex);
 	if (rc)
 		return rc;

--- a/sources/2.6.38/cifsfs.c
+++ b/sources/2.6.38/cifsfs.c
@@ -127,6 +127,7 @@ cifs_read_super(struct super_block *sb, void *data,
 		kfree(cifs_sb);
 		return rc;
 	}
+	cifs_sb->bdi.ra_pages = default_backing_dev_info.ra_pages;
 #ifdef CONFIG_CIFS_DFS_UPCALL
 	/* copy mount params to sb for use in submounts */

--- a/sources/2.6.38/connect.c
+++ b/sources/2.6.38/connect.c
@@ -809,8 +809,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
 			 struct smb_vol *vol)
 {
-	char *value;
+	char *value, *data, *end;
-	char *data;
 	unsigned int  temp_len, i, j;
 	char separator[2];
 	short int override_uid = -1;
@@ -853,6 +852,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 	if (!options)
 		return 1;
+	end = options + strlen(options);
 	if (strncmp(options, "sep=", 4) == 0) {
 		if (options[4] != 0) {
 			separator[0] = options[4];
@@ -917,6 +917,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 			the only illegal character in a password is null */
 			if ((value[temp_len] == 0) &&
+			    (value + temp_len < end) &&
 			    (value[temp_len+1] == separator[0])) {
 				/* reinsert comma */
 				value[temp_len] = separator[0];
@@ -2833,7 +2834,7 @@ try_mount_again:
 remote_path_check:
 	/* check if a whole path (including prepath) is not remote */
-	if (!rc && cifs_sb->prepathlen && tcon) {
+	if (!rc && tcon) {
 		/* build_path_to_root works only when we have a valid tcon */
 		full_path = cifs_build_path_to_root(cifs_sb, tcon);
 		if (full_path == NULL) {

--- a/sources/2.6.38/file.c
+++ b/sources/2.6.38/file.c
@@ -586,8 +586,10 @@ reopen_error_exit:
 int cifs_close(struct inode *inode, struct file *file)
 {
+	if (file->private_data != NULL) {
 		cifsFileInfo_put(file->private_data);
 		file->private_data = NULL;
+	}
 	/* return code from the ->release op is always ignored */
 	return 0;