mirror of https://gitee.com/openkylin/linux.git
SMB3 fix (for stable as well) for crash mishandling one of the Windows reparse point symlink tags
-----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAl0b67IACgkQiiy9cAdy T1H/Ngv/XNc9l/OEHwyWZ1QnSCBKZyLyD5ZcKQRFFkfiktmQ8FtPUzf4qKlHxX1h ssefwBIbkW1+DG2sgvrL7OfqnPDnSezVoifvRmbh0nFX8anWhtChZMc0s+xiLtz2 SbDBugNSkc8l9fvQz5A6VPJ3TcNA+VsSE2rr1HuimS9S4RAy1RsPhhWNyUh3GV5A SWuD7bsnxZ7/H2l+hx+s2O5RLDFoeniEIGFTsH9/f7Q19YGJtf6arnUlyUaZjkXK bPV2jZyalRUznK7RSFDLu49fS2zH8/m6MfBYyat31SZVtLFcQC/ijhKYTWr8wrKu +iQPlX+IDk4rfH/++7PXJJv1sKFLZNEs22dOi1YG0FgkRtMNA8HzmJqVFLcgoB2d QD7Ahj4dE0ghXv1dLMjfKdchNbkrWiygfpje54AkhU9SWUIS/EljDbQSq3e/wpAW i9HxCGCmmTPFzVKDVhyaBXHi6h5pzd7FfNNS4iJ2Lsy5PRLOHBMxaX1wknu/8vP0 IIWuB9Hh =1zkr -----END PGP SIGNATURE----- Merge tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fix from Steve French: "SMB3 fix (for stable as well) for crash mishandling one of the Windows reparse point symlink tags" * tag '5.2-rc6-smb3-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix crash querying symlinks stored as reparse-points
This commit is contained in:
commit
6e692c3b72
|
@ -2372,6 +2372,41 @@ smb2_get_dfs_refer(const unsigned int xid, struct cifs_ses *ses,
|
|||
kfree(dfs_rsp);
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int
|
||||
parse_reparse_symlink(struct reparse_symlink_data_buffer *symlink_buf,
|
||||
u32 plen, char **target_path,
|
||||
struct cifs_sb_info *cifs_sb)
|
||||
{
|
||||
unsigned int sub_len;
|
||||
unsigned int sub_offset;
|
||||
|
||||
/* We only handle Symbolic Link : MS-FSCC 2.1.2.4 */
|
||||
if (le32_to_cpu(symlink_buf->ReparseTag) != IO_REPARSE_TAG_SYMLINK) {
|
||||
cifs_dbg(VFS, "srv returned invalid symlink buffer\n");
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
sub_offset = le16_to_cpu(symlink_buf->SubstituteNameOffset);
|
||||
sub_len = le16_to_cpu(symlink_buf->SubstituteNameLength);
|
||||
if (sub_offset + 20 > plen ||
|
||||
sub_offset + sub_len + 20 > plen) {
|
||||
cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
*target_path = cifs_strndup_from_utf16(
|
||||
symlink_buf->PathBuffer + sub_offset,
|
||||
sub_len, true, cifs_sb->local_nls);
|
||||
if (!(*target_path))
|
||||
return -ENOMEM;
|
||||
|
||||
convert_delimiter(*target_path, '/');
|
||||
cifs_dbg(FYI, "%s: target path: %s\n", __func__, *target_path);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define SMB2_SYMLINK_STRUCT_SIZE \
|
||||
(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
|
||||
|
||||
|
@ -2401,11 +2436,13 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
|
|||
struct kvec close_iov[1];
|
||||
struct smb2_create_rsp *create_rsp;
|
||||
struct smb2_ioctl_rsp *ioctl_rsp;
|
||||
char *ioctl_buf;
|
||||
struct reparse_data_buffer *reparse_buf;
|
||||
u32 plen;
|
||||
|
||||
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
|
||||
|
||||
*target_path = NULL;
|
||||
|
||||
if (smb3_encryption_required(tcon))
|
||||
flags |= CIFS_TRANSFORM_REQ;
|
||||
|
||||
|
@ -2483,17 +2520,36 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
|
|||
if ((rc == 0) && (is_reparse_point)) {
|
||||
/* See MS-FSCC 2.3.23 */
|
||||
|
||||
ioctl_buf = (char *)ioctl_rsp + le32_to_cpu(ioctl_rsp->OutputOffset);
|
||||
reparse_buf = (struct reparse_data_buffer *)
|
||||
((char *)ioctl_rsp +
|
||||
le32_to_cpu(ioctl_rsp->OutputOffset));
|
||||
plen = le32_to_cpu(ioctl_rsp->OutputCount);
|
||||
|
||||
if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
|
||||
rsp_iov[1].iov_len) {
|
||||
cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", plen);
|
||||
cifs_dbg(VFS, "srv returned invalid ioctl len: %d\n",
|
||||
plen);
|
||||
rc = -EIO;
|
||||
goto querty_exit;
|
||||
}
|
||||
|
||||
/* Do stuff with ioctl_buf/plen */
|
||||
if (plen < 8) {
|
||||
cifs_dbg(VFS, "reparse buffer is too small. Must be "
|
||||
"at least 8 bytes but was %d\n", plen);
|
||||
rc = -EIO;
|
||||
goto querty_exit;
|
||||
}
|
||||
|
||||
if (plen < le16_to_cpu(reparse_buf->ReparseDataLength) + 8) {
|
||||
cifs_dbg(VFS, "srv returned invalid reparse buf "
|
||||
"length: %d\n", plen);
|
||||
rc = -EIO;
|
||||
goto querty_exit;
|
||||
}
|
||||
|
||||
rc = parse_reparse_symlink(
|
||||
(struct reparse_symlink_data_buffer *)reparse_buf,
|
||||
plen, target_path, cifs_sb);
|
||||
goto querty_exit;
|
||||
}
|
||||
|
||||
|
|
|
@ -914,7 +914,19 @@ struct reparse_mount_point_data_buffer {
|
|||
__u8 PathBuffer[0]; /* Variable Length */
|
||||
} __packed;
|
||||
|
||||
/* See MS-FSCC 2.1.2.4 and cifspdu.h for struct reparse_symlink_data */
|
||||
#define SYMLINK_FLAG_RELATIVE 0x00000001
|
||||
|
||||
struct reparse_symlink_data_buffer {
|
||||
__le32 ReparseTag;
|
||||
__le16 ReparseDataLength;
|
||||
__u16 Reserved;
|
||||
__le16 SubstituteNameOffset;
|
||||
__le16 SubstituteNameLength;
|
||||
__le16 PrintNameOffset;
|
||||
__le16 PrintNameLength;
|
||||
__le32 Flags;
|
||||
__u8 PathBuffer[0]; /* Variable Length */
|
||||
} __packed;
|
||||
|
||||
/* See MS-FSCC 2.1.2.6 and cifspdu.h for struct reparse_posix_data */
|
||||
|
||||
|
|
Loading…
Reference in New Issue