Attachment #44598 for bug #65877

Lines 1427-1435 Link Here

(-)linux-2.6.8.1/fs/smbfs/proc.c (-3 / +3 lines)
1427	* So we must first calculate the amount of padding used by the server.	1427	* So we must first calculate the amount of padding used by the server.
1428	*/	1428	*/
1429	data_off -= hdrlen;	1429	data_off -= hdrlen;
1430	if (data_off > SMB_READX_MAX_PAD) {	1430	if (data_off > SMB_READX_MAX_PAD \|\| data_off < 0) {
1431	PARANOIA("offset is larger than max pad!\n");	1431	PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n");
1432	PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD);	1432	PARANOIA("%d > %d \|\| %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off);
1433	req->rq_rlen = req->rq_bufsize + 1;	1433	req->rq_rlen = req->rq_bufsize + 1;
1434	return;	1434	return;
1435	}	1435	}

Lines 588-593 Link Here

(-)linux-2.6.8.1/fs/smbfs/request.c (-4 / +16 lines)
588	data_count = WVAL(inbuf, smb_drcnt);	588	data_count = WVAL(inbuf, smb_drcnt);
589		589
590	/* Modify offset for the split header/buffer we use */	590	/* Modify offset for the split header/buffer we use */
		591	if (data_offset < hdrlen)
		592	goto out_bad_data;
		593	if (parm_offset < hdrlen)
		594	goto out_bad_parm;
591	data_offset -= hdrlen;	595	data_offset -= hdrlen;
592	parm_offset -= hdrlen;	596	parm_offset -= hdrlen;
593		597
Lines 607-612 Link Here
607	req->rq_lparm = parm_count;	611	req->rq_lparm = parm_count;
608	req->rq_data = req->rq_buffer + data_offset;	612	req->rq_data = req->rq_buffer + data_offset;
609	req->rq_parm = req->rq_buffer + parm_offset;	613	req->rq_parm = req->rq_buffer + parm_offset;
		614	if (parm_offset + parm_count > req->rq_rlen)
		615	goto out_bad_parm;
		616	if (data_offset + data_count > req->rq_rlen)
		617	goto out_bad_data;
610	return 0;	618	return 0;
611	}	619	}
Lines 643-650 Link Here
643		652
644	if (parm_disp + parm_count > req->rq_total_parm)	653	if (parm_disp + parm_count > req->rq_total_parm)
645	goto out_bad_parm;	654	goto out_bad_parm;
		655	if (parm_offset + parm_count > req->rq_rlen)
		656	goto out_bad_parm;
646	if (data_disp + data_count > req->rq_total_data)	657	if (data_disp + data_count > req->rq_total_data)
647	goto out_bad_data;	658	goto out_bad_data;
		659	if (data_offset + data_count > req->rq_rlen)
		660	goto out_bad_data;
648		661
649	inbuf = req->rq_buffer;	662	inbuf = req->rq_buffer;
650	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);	663	memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count);
Lines 676-688 Link Here
676	req->rq_errno = -EIO;	692	req->rq_errno = -EIO;
677	goto out;	693	goto out;
678	out_bad_parm:	694	out_bad_parm:
679	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n",	695	printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
680	parm_disp, parm_count, parm_tot);	696	parm_disp, parm_count, parm_tot, parm_offset);
681	req->rq_errno = -EIO;	697	req->rq_errno = -EIO;
682	goto out;	698	goto out;
683	out_bad_data:	699	out_bad_data:
684	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n",	700	printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n",
685	data_disp, data_count, data_tot);	701	data_disp, data_count, data_tot, data_offset);
686	req->rq_errno = -EIO;	702	req->rq_errno = -EIO;
687	out:	703	out:
688	return req->rq_errno;	704	return req->rq_errno;

Return to bug 65877