diff options
author | Ronnie Sahlberg <lsahlber@redhat.com> | 2019-04-15 12:13:52 +1000 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2019-05-07 23:24:55 -0500 |
commit | 5242fcb706cb47dfa59bececc1bd280f0868901e (patch) | |
tree | b27f291d99c1bfec2e958419f949fc0a61dbf0d8 | |
parent | 4739f2328661d070f93f9bcc8afb2a82706c826d (diff) |
cifs: fix bi-directional fsctl passthrough calls
SMB2 Ioctl responses from servers may respond with both the request blob from
the client followed by the actual reply blob for ioctls that are bi-directional.
In that case we can not assume that the reply blob comes immediately after the
ioctl response structure.
This fixes FSCTLs such as SMB2:FSCTL_QUERY_ALLOCATED_RANGES
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
-rw-r--r-- | fs/cifs/smb2ops.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 08ff044fbb4b..4002e1433ccb 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1462,12 +1462,19 @@ smb2_ioctl_query_info(const unsigned int xid, io_rsp = (struct smb2_ioctl_rsp *)rsp_iov[1].iov_base; if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length) qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && + le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length > rsp_iov[1].iov_len) { + rc = -EFAULT; + goto iqinf_exit; + } if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length, sizeof(qi.input_buffer_length))) { rc = -EFAULT; goto iqinf_exit; } - if (copy_to_user(pqi + 1, &io_rsp[1], qi.input_buffer_length)) { + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), + qi.input_buffer_length)) { rc = -EFAULT; goto iqinf_exit; } |