Commit 0013fb4c authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French
Browse files

CIFS: Fix possible wrong memory allocation 



when cifs_reconnect sets maxBuf to 0 and we try to calculate a size
of memory we need to store locks.

Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 51eab603

fs/cifs/file.c

+25 −6
Original line number Diff line number Diff line
@@ -876,7 +876,7 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) 
	struct cifsLockInfo *li, *tmp;

	struct cifs_tcon *tcon;

	struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode);

	unsigned int num, max_num;

	unsigned int num, max_num, max_buf;

	LOCKING_ANDX_RANGE *buf, *cur;

	int types[] = {LOCKING_ANDX_LARGE_FILES,

		       LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES};
@@ -892,7 +892,18 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) 
		return rc;

	}



	max_num = (tcon->ses->server->maxBuf - sizeof(struct smb_hdr)) /

	/*

	 * Accessing maxBuf is racy with cifs_reconnect - need to store value

	 * and check it for zero before using.

	 */

	max_buf = tcon->ses->server->maxBuf;

	if (!max_buf) {

		mutex_unlock(&cinode->lock_mutex);

		FreeXid(xid);

		return -EINVAL;

	}



	max_num = (max_buf - sizeof(struct smb_hdr)) /

						sizeof(LOCKING_ANDX_RANGE);

	buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);

	if (!buf) {
@@ -1218,7 +1229,7 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, int xid) 
	int types[] = {LOCKING_ANDX_LARGE_FILES,

		       LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES};

	unsigned int i;

	unsigned int max_num, num;

	unsigned int max_num, num, max_buf;

	LOCKING_ANDX_RANGE *buf, *cur;

	struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);

	struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode);
@@ -1228,7 +1239,15 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, int xid) 


	INIT_LIST_HEAD(&tmp_llist);



	max_num = (tcon->ses->server->maxBuf - sizeof(struct smb_hdr)) /

	/*

	 * Accessing maxBuf is racy with cifs_reconnect - need to store value

	 * and check it for zero before using.

	 */

	max_buf = tcon->ses->server->maxBuf;

	if (!max_buf)

		return -EINVAL;



	max_num = (max_buf - sizeof(struct smb_hdr)) /

						sizeof(LOCKING_ANDX_RANGE);

	buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);

	if (!buf)