tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'v6.12-rc1-ksmbd-fixes' of git://git.samba.org/ksmbd

Pull smb server fixes from Steve French:

- small cleanup patches leveraging struct size to improve access bounds checking

* tag 'v6.12-rc1-ksmbd-fixes' of git://git.samba.org/ksmbd:
ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
ksmbd: Annotate struct copychunk_ioctl_req with __counted_by_le()
ksmbd: Use struct_size() to improve get_file_alternate_info()

Linus Torvalds 9c02404b 20c2474f

+12 -13
+3 -4
fs/smb/server/smb2pdu.c
··· 4883 4883 spin_unlock(&dentry->d_lock); 4884 4884 file_info->FileNameLength = cpu_to_le32(conv_len); 4885 4885 rsp->OutputBufferLength = 4886 - cpu_to_le32(sizeof(struct smb2_file_alt_name_info) + conv_len); 4886 + cpu_to_le32(struct_size(file_info, FileName, conv_len)); 4887 4887 } 4888 4888 4889 4889 static int get_file_stream_info(struct ksmbd_work *work, ··· 7562 7562 ci_rsp->TotalBytesWritten = 7563 7563 cpu_to_le32(ksmbd_server_side_copy_max_total_size()); 7564 7564 7565 - chunks = (struct srv_copychunk *)&ci_req->Chunks[0]; 7566 7565 chunk_count = le32_to_cpu(ci_req->ChunkCount); 7567 7566 if (chunk_count == 0) 7568 7567 goto out; ··· 7569 7570 7570 7571 /* verify the SRV_COPYCHUNK_COPY packet */ 7571 7572 if (chunk_count > ksmbd_server_side_copy_max_chunk_count() || 7572 - input_count < offsetof(struct copychunk_ioctl_req, Chunks) + 7573 - chunk_count * sizeof(struct srv_copychunk)) { 7573 + input_count < struct_size(ci_req, Chunks, chunk_count)) { 7574 7574 rsp->hdr.Status = STATUS_INVALID_PARAMETER; 7575 7575 return -EINVAL; 7576 7576 } 7577 7577 7578 + chunks = &ci_req->Chunks[0]; 7578 7579 for (i = 0; i < chunk_count; i++) { 7579 7580 if (le32_to_cpu(chunks[i].Length) == 0 || 7580 7581 le32_to_cpu(chunks[i].Length) > ksmbd_server_side_copy_max_chunk_size())
+7 -7
fs/smb/server/smb2pdu.h
··· 190 190 __u8 Context[4]; /* ignored, Windows sets to 4 bytes of zero */ 191 191 } __packed; 192 192 193 - struct copychunk_ioctl_req { 194 - __le64 ResumeKey[3]; 195 - __le32 ChunkCount; 196 - __le32 Reserved; 197 - __u8 Chunks[]; /* array of srv_copychunk */ 198 - } __packed; 199 - 200 193 struct srv_copychunk { 201 194 __le64 SourceOffset; 202 195 __le64 TargetOffset; 203 196 __le32 Length; 204 197 __le32 Reserved; 198 + } __packed; 199 + 200 + struct copychunk_ioctl_req { 201 + __le64 ResumeKey[3]; 202 + __le32 ChunkCount; 203 + __le32 Reserved; 204 + struct srv_copychunk Chunks[] __counted_by_le(ChunkCount); 205 205 } __packed; 206 206 207 207 struct copychunk_ioctl_rsp {
+2 -2
fs/smb/server/transport_rdma.c
··· 1405 1405 /* build rdma_rw_ctx for each descriptor */ 1406 1406 desc_buf = buf; 1407 1407 for (i = 0; i < desc_num; i++) { 1408 - msg = kzalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) + 1409 - sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL); 1408 + msg = kzalloc(struct_size(msg, sg_list, SG_CHUNK_SIZE), 1409 + GFP_KERNEL); 1410 1410 if (!msg) { 1411 1411 ret = -ENOMEM; 1412 1412 goto out;