diff options
author | Steve French <sfrench@us.ibm.com> | 2007-11-13 22:41:37 +0000 |
---|---|---|
committer | Steve French <sfrench@us.ibm.com> | 2007-11-13 22:41:37 +0000 |
commit | 133672efbc1085f9af990bdc145e1822ea93bcf3 (patch) | |
tree | b93b5ba3a9559d137fe7fb86f6d1a3d33189ce0b /fs/ncpfs | |
parent | 9418d5dc9ba40b88737580457bf3b7c63c60ec43 (diff) |
[CIFS] Fix buffer overflow if server sends corrupt response to small
request
In SendReceive() function in transport.c - it memcpy's
message payload into a buffer passed via out_buf param. The function
assumes that all buffers are of size (CIFSMaxBufSize +
MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller
(MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers
(SMB worker functions) which are primarily affected by this change:
TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes,
Lock and PosixLock
CC: Dave Kleikamp <shaggy@austin.ibm.com>
CC: Przemyslaw Wegrzyn <czajnik@czajsoft.pl>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/ncpfs')
0 files changed, 0 insertions, 0 deletions