ksmbd: fix out-of-bound read in parse_lease_state()

 */

struct lease_ctx_info *parse_lease_state(void *open_req)

{

	char *data_offset;

	struct create_context *cc;

	unsigned int next = 0;

	char *name;

	bool found = false;

	struct smb2_create_req *req = (struct smb2_create_req *)open_req;

	struct lease_ctx_info *lreq = kzalloc(sizeof(struct lease_ctx_info),

		GFP_KERNEL);

	if (!lreq)

	struct lease_ctx_info *lreq;

	cc = smb2_find_context_vals(req, SMB2_CREATE_REQUEST_LEASE, 4);

	if (IS_ERR_OR_NULL(cc))

		return NULL;

	data_offset = (char *)req + le32_to_cpu(req->CreateContextsOffset);

	cc = (struct create_context *)data_offset;

	do {

		cc = (struct create_context *)((char *)cc + next);

		name = le16_to_cpu(cc->NameOffset) + (char *)cc;

		if (le16_to_cpu(cc->NameLength) != 4 ||

		    strncmp(name, SMB2_CREATE_REQUEST_LEASE, 4)) {

			next = le32_to_cpu(cc->Next);

			continue;

		}

		found = true;

		break;

	} while (next != 0);

	lreq = kzalloc(sizeof(struct lease_ctx_info), GFP_KERNEL);

	if (!lreq)

		return NULL;

	if (found) {

	if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {

		struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;

	return lreq;

}

	kfree(lreq);

	return NULL;

}

/**

 * smb2_find_context_vals() - find a particular context info in open request

 * @open_req:	buffer containing smb2 file open(create) request