Commit 2e8a05d8 authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French
Browse files

CIFS: Fix possible buffer corruption in cifs_user_read() 



If there was a short read in the middle of the rdata list,
we can end up with a corrupt output buffer.

Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent b3160aeb

fs/cifs/file.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -3049,7 +3049,9 @@ ssize_t cifs_user_readv(struct kiocb *iocb, struct iov_iter *to) 
			} else {

			} else {

				rc = cifs_readdata_to_iov(rdata, to);

				rc = cifs_readdata_to_iov(rdata, to);

			}

			}



			/* if there was a short read -- discard anything left */

			if (rdata->got_bytes && rdata->got_bytes < rdata->bytes)

				rc = -ENODATA;

		}

		}

		list_del_init(&rdata->list);

		list_del_init(&rdata->list);

		kref_put(&rdata->refcount, cifs_uncached_readdata_release);

		kref_put(&rdata->refcount, cifs_uncached_readdata_release);