Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'for-linus' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs fixes from Jeff Layton.
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
cifs: Do not lookup hashed negative dentry in cifs_atomic_open
cifs: fix potential buffer overrun in cifs.idmap handling code
+30
-30
+20
-29
fs/cifs/cifsacl.c
+20
-29
fs/cifs/cifsacl.c
···
225
225
}
226
226
227
227
static void
228
+
cifs_copy_sid(struct cifs_sid *dst, const struct cifs_sid *src)
229
+
{
230
+
memcpy(dst, src, sizeof(*dst));
231
+
dst->num_subauth = min_t(u8, src->num_subauth, NUM_SUBAUTHS);
232
+
}
233
+
234
+
static void
228
235
id_rb_insert(struct rb_root *root, struct cifs_sid *sidptr,
229
236
struct cifs_sid_id **psidid, char *typestr)
230
237
{
···
255
248
}
256
249
}
257
250
258
-
memcpy(&(*psidid)->sid, sidptr, sizeof(struct cifs_sid));
251
+
cifs_copy_sid(&(*psidid)->sid, sidptr);
259
252
(*psidid)->time = jiffies - (SID_MAP_RETRY + 1);
260
253
(*psidid)->refcount = 0;
261
254
···
361
354
* any fields of the node after a reference is put .
362
355
*/
363
356
if (test_bit(SID_ID_MAPPED, &psidid->state)) {
364
-
memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid));
357
+
cifs_copy_sid(ssid, &psidid->sid);
365
358
psidid->time = jiffies; /* update ts for accessing */
366
359
goto id_sid_out;
367
360
}
···
377
370
if (IS_ERR(sidkey)) {
378
371
rc = -EINVAL;
379
372
cFYI(1, "%s: Can't map and id to a SID", __func__);
373
+
} else if (sidkey->datalen < sizeof(struct cifs_sid)) {
374
+
rc = -EIO;
375
+
cFYI(1, "%s: Downcall contained malformed key "
376
+
"(datalen=%hu)", __func__, sidkey->datalen);
380
377
} else {
381
378
lsid = (struct cifs_sid *)sidkey->payload.data;
382
-
memcpy(&psidid->sid, lsid,
383
-
sidkey->datalen < sizeof(struct cifs_sid) ?
384
-
sidkey->datalen : sizeof(struct cifs_sid));
385
-
memcpy(ssid, &psidid->sid,
386
-
sidkey->datalen < sizeof(struct cifs_sid) ?
387
-
sidkey->datalen : sizeof(struct cifs_sid));
379
+
cifs_copy_sid(&psidid->sid, lsid);
380
+
cifs_copy_sid(ssid, &psidid->sid);
388
381
set_bit(SID_ID_MAPPED, &psidid->state);
389
382
key_put(sidkey);
390
383
kfree(psidid->sidstr);
···
403
396
return rc;
404
397
}
405
398
if (test_bit(SID_ID_MAPPED, &psidid->state))
406
-
memcpy(ssid, &psidid->sid, sizeof(struct cifs_sid));
399
+
cifs_copy_sid(ssid, &psidid->sid);
407
400
else
408
401
rc = -EINVAL;
409
402
}
···
682
675
static void copy_sec_desc(const struct cifs_ntsd *pntsd,
683
676
struct cifs_ntsd *pnntsd, __u32 sidsoffset)
684
677
{
685
-
int i;
686
-
687
678
struct cifs_sid *owner_sid_ptr, *group_sid_ptr;
688
679
struct cifs_sid *nowner_sid_ptr, *ngroup_sid_ptr;
689
680
···
697
692
owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
698
693
le32_to_cpu(pntsd->osidoffset));
699
694
nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset);
700
-
701
-
nowner_sid_ptr->revision = owner_sid_ptr->revision;
702
-
nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
703
-
for (i = 0; i < 6; i++)
704
-
nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
705
-
for (i = 0; i < 5; i++)
706
-
nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
695
+
cifs_copy_sid(nowner_sid_ptr, owner_sid_ptr);
707
696
708
697
/* copy group sid */
709
698
group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
710
699
le32_to_cpu(pntsd->gsidoffset));
711
700
ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + sidsoffset +
712
701
sizeof(struct cifs_sid));
713
-
714
-
ngroup_sid_ptr->revision = group_sid_ptr->revision;
715
-
ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
716
-
for (i = 0; i < 6; i++)
717
-
ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
718
-
for (i = 0; i < 5; i++)
719
-
ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
702
+
cifs_copy_sid(ngroup_sid_ptr, group_sid_ptr);
720
703
721
704
return;
722
705
}
···
1113
1120
kfree(nowner_sid_ptr);
1114
1121
return rc;
1115
1122
}
1116
-
memcpy(owner_sid_ptr, nowner_sid_ptr,
1117
-
sizeof(struct cifs_sid));
1123
+
cifs_copy_sid(owner_sid_ptr, nowner_sid_ptr);
1118
1124
kfree(nowner_sid_ptr);
1119
1125
*aclflag = CIFS_ACL_OWNER;
1120
1126
}
···
1131
1139
kfree(ngroup_sid_ptr);
1132
1140
return rc;
1133
1141
}
1134
-
memcpy(group_sid_ptr, ngroup_sid_ptr,
1135
-
sizeof(struct cifs_sid));
1142
+
cifs_copy_sid(group_sid_ptr, ngroup_sid_ptr);
1136
1143
kfree(ngroup_sid_ptr);
1137
1144
*aclflag = CIFS_ACL_GROUP;
1138
1145
}
+10
-1
fs/cifs/dir.c
+10
-1
fs/cifs/dir.c
···
398
398
* in network traffic in the other paths.
399
399
*/
400
400
if (!(oflags & O_CREAT)) {
401
-
struct dentry *res = cifs_lookup(inode, direntry, 0);
401
+
struct dentry *res;
402
+
403
+
/*
404
+
* Check for hashed negative dentry. We have already revalidated
405
+
* the dentry and it is fine. No need to perform another lookup.
406
+
*/
407
+
if (!d_unhashed(direntry))
408
+
return -ENOENT;
409
+
410
+
res = cifs_lookup(inode, direntry, 0);
402
411
if (IS_ERR(res))
403
412
return PTR_ERR(res);
404
413