From: Paulo Alcantara <pc@manguebit.com>
To: smfrench@gmail.com
Cc: linux-cifs@vger.kernel.org, Paulo Alcantara <pc@manguebit.com>
Subject: [PATCH 2/2] cifs: get rid of dup length check in parse_reparse_point()
Date: Sat, 6 Jan 2024 20:05:18 -0300 [thread overview]
Message-ID: <20240106230518.29920-2-pc@manguebit.com> (raw)
In-Reply-To: <20240106230518.29920-1-pc@manguebit.com>
smb2_compound_op(SMB2_OP_GET_REPARSE) already checks if ioctl response
has a valid reparse data buffer's length, so there's no need to check
it again in parse_reparse_point().
In order to get rid of duplicate check, validate reparse data buffer's
length also in cifs_query_reparse_point().
Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
---
fs/smb/client/cifssmb.c | 14 ++++++++++++--
fs/smb/client/smb2ops.c | 12 ------------
2 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index e9e33b0b3ac4..01e89070df5a 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -2700,11 +2700,12 @@ int cifs_query_reparse_point(const unsigned int xid,
u32 *tag, struct kvec *rsp,
int *rsp_buftype)
{
+ struct reparse_data_buffer *buf;
struct cifs_open_parms oparms;
TRANSACT_IOCTL_REQ *io_req = NULL;
TRANSACT_IOCTL_RSP *io_rsp = NULL;
struct cifs_fid fid;
- __u32 data_offset, data_count;
+ __u32 data_offset, data_count, len;
__u8 *start, *end;
int io_rsp_len;
int oplock = 0;
@@ -2774,7 +2775,16 @@ int cifs_query_reparse_point(const unsigned int xid,
goto error;
}
- *tag = le32_to_cpu(((struct reparse_data_buffer *)start)->ReparseTag);
+ data_count = le16_to_cpu(io_rsp->ByteCount);
+ buf = (struct reparse_data_buffer *)start;
+ len = sizeof(*buf);
+ if (data_count < len ||
+ data_count < le16_to_cpu(buf->ReparseDataLength) + len) {
+ rc = -EIO;
+ goto error;
+ }
+
+ *tag = le32_to_cpu(buf->ReparseTag);
rsp->iov_base = io_rsp;
rsp->iov_len = io_rsp_len;
*rsp_buftype = CIFS_LARGE_BUFFER;
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 938d51a88dd6..01a5bd7e6a30 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -2947,18 +2947,6 @@ int parse_reparse_point(struct reparse_data_buffer *buf,
u32 plen, struct cifs_sb_info *cifs_sb,
bool unicode, struct cifs_open_info_data *data)
{
- if (plen < sizeof(*buf)) {
- cifs_dbg(VFS, "%s: reparse buffer is too small. Must be at least 8 bytes but was %d\n",
- __func__, plen);
- return -EIO;
- }
-
- if (plen < le16_to_cpu(buf->ReparseDataLength) + sizeof(*buf)) {
- cifs_dbg(VFS, "%s: invalid reparse buf length: %d\n",
- __func__, plen);
- return -EIO;
- }
-
data->reparse.buf = buf;
/* See MS-FSCC 2.1.2 */
--
2.43.0
prev parent reply other threads:[~2024-01-06 23:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-06 23:05 [PATCH 1/2] smb: client: stop revalidating reparse points unnecessarily Paulo Alcantara
2024-01-06 23:05 ` Paulo Alcantara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240106230518.29920-2-pc@manguebit.com \
--to=pc@manguebit.com \
--cc=linux-cifs@vger.kernel.org \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox