From 133672efbc1085f9af990bdc145e1822ea93bcf3 Mon Sep 17 00:00:00 2001 From: Steve French Date: Tue, 13 Nov 2007 22:41:37 +0000 Subject: [CIFS] Fix buffer overflow if server sends corrupt response to small request In SendReceive() function in transport.c - it memcpy's message payload into a buffer passed via out_buf param. The function assumes that all buffers are of size (CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) , unfortunately it is also called with smaller (MAX_CIFS_SMALL_BUFFER_SIZE) buffers. There are eight callers (SMB worker functions) which are primarily affected by this change: TreeDisconnect, uLogoff, Close, findClose, SetFileSize, SetFileTimes, Lock and PosixLock CC: Dave Kleikamp CC: Przemyslaw Wegrzyn Acked-by: Jeff Layton Signed-off-by: Steve French --- fs/cifs/cifsproto.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'fs/cifs/cifsproto.h') diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h index dd1d7c200ee6..0c55dff2add8 100644 --- a/fs/cifs/cifsproto.h +++ b/fs/cifs/cifsproto.h @@ -48,10 +48,11 @@ extern int SendReceive(const unsigned int /* xid */ , struct cifsSesInfo *, struct smb_hdr * /* input */ , struct smb_hdr * /* out */ , int * /* bytes returned */ , const int long_op); +extern int SendReceiveNoRsp(const unsigned int xid, struct cifsSesInfo *ses, + struct smb_hdr *in_buf, int flags); extern int SendReceive2(const unsigned int /* xid */ , struct cifsSesInfo *, struct kvec *, int /* nvec to send */, - int * /* type of buf returned */ , const int long_op, - const int logError /* whether to log status code*/ ); + int * /* type of buf returned */ , const int flags); extern int SendReceiveBlockingLock(const unsigned int /* xid */ , struct cifsTconInfo *, struct smb_hdr * /* input */ , -- cgit v1.2.3