From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de ([195.135.220.15]:46522 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753592AbeGEOfD (ORCPT ); Thu, 5 Jul 2018 10:35:03 -0400 From: =?utf-8?Q?Aur=C3=A9lien?= Aptel To: Stefano Brivio , Steve French Cc: linux-cifs@vger.kernel.org, Ronnie Sahlberg , Jianhong Yin , Pavel Shilovsky , Shirish Pargaonkar , stable@vger.kernel.org, Stefano Brivio Subject: Re: [PATCH] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting In-Reply-To: References: Date: Thu, 05 Jul 2018 16:35:00 +0200 Message-ID: <87d0w17nu3.fsf@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: stable-owner@vger.kernel.org List-ID: Stefano Brivio writes: > /* BB eventually switch this to SMB2 specific small buf size */ > - *request_buf = cifs_small_buf_get(); > + if (smb2_command == SMB2_SET_INFO) > + *request_buf = cifs_buf_get(); > + else > + *request_buf = cifs_small_buf_get(); > if (*request_buf == NULL) { > /* BB should we add a retry in here if not a writepage? */ > return -ENOMEM; > @@ -3720,7 +3723,7 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, > > rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, > &rsp_iov); > - cifs_small_buf_release(req); > + cifs_buf_release(req); > rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base; Small and large bufs use different mempools, shouldn't the release func match the get func? -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)