cifs: Allocate validate negotiation request through kmalloc

author Long Li <longli@microsoft.com>

Wed, 25 Apr 2018 18:30:04 +0000 (11:30 -0700)

committer Stefan Bader <stefan.bader@canonical.com>

Mon, 1 Oct 2018 12:58:09 +0000 (14:58 +0200)
author Long Li <longli@microsoft.com>
Wed, 25 Apr 2018 18:30:04 +0000 (11:30 -0700)
committer Stefan Bader <stefan.bader@canonical.com>
Mon, 1 Oct 2018 12:58:09 +0000 (14:58 +0200)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c

index f942827ca0cb1beb6afe9c3109dd3a5e3083c6c7..8f46eb62a5ef9a74e20501b76fbc0d3a8f9d1a9b 100644 (file)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -646,8 +646,8 @@ neg_exit:
  
  int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
  {
-       int rc = 0;
-       struct validate_negotiate_info_req vneg_inbuf;
+       int rc;
+       struct validate_negotiate_info_req *pneg_inbuf;
         struct validate_negotiate_info_rsp *pneg_rsp = NULL;
         u32 rsplen;
         u32 inbuflen; /* max of 4 dialects */
@@ -672,63 +672,69 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
         if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
                 cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
  
-       vneg_inbuf.Capabilities =
+       pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS);
+       if (!pneg_inbuf)
+               return -ENOMEM;
+
+       pneg_inbuf->Capabilities =
                         cpu_to_le32(tcon->ses->server->vals->req_capabilities);
-       memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
+       memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid,
                                         SMB2_CLIENT_GUID_SIZE);
  
         if (tcon->ses->sign)
-               vneg_inbuf.SecurityMode =
+               pneg_inbuf->SecurityMode =
                         cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED);
         else if (global_secflags & CIFSSEC_MAY_SIGN)
-               vneg_inbuf.SecurityMode =
+               pneg_inbuf->SecurityMode =
                         cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED);
         else
-               vneg_inbuf.SecurityMode = 0;
+               pneg_inbuf->SecurityMode = 0;
  
  
         if (strcmp(tcon->ses->server->vals->version_string,
                 SMB3ANY_VERSION_STRING) == 0) {
-               vneg_inbuf.Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
-               vneg_inbuf.Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
-               vneg_inbuf.DialectCount = cpu_to_le16(2);
+               pneg_inbuf->Dialects[0] = cpu_to_le16(SMB30_PROT_ID);
+               pneg_inbuf->Dialects[1] = cpu_to_le16(SMB302_PROT_ID);
+               pneg_inbuf->DialectCount = cpu_to_le16(2);
                 /* structure is big enough for 3 dialects, sending only 2 */
-               inbuflen = sizeof(struct validate_negotiate_info_req) - 2;
+               inbuflen = sizeof(*pneg_inbuf) -
+                               sizeof(pneg_inbuf->Dialects[0]);
         } else if (strcmp(tcon->ses->server->vals->version_string,
                 SMBDEFAULT_VERSION_STRING) == 0) {
-               vneg_inbuf.Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
-               vneg_inbuf.Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
-               vneg_inbuf.Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
-               vneg_inbuf.DialectCount = cpu_to_le16(3);
+               pneg_inbuf->Dialects[0] = cpu_to_le16(SMB21_PROT_ID);
+               pneg_inbuf->Dialects[1] = cpu_to_le16(SMB30_PROT_ID);
+               pneg_inbuf->Dialects[2] = cpu_to_le16(SMB302_PROT_ID);
+               pneg_inbuf->DialectCount = cpu_to_le16(3);
                 /* structure is big enough for 3 dialects */
-               inbuflen = sizeof(struct validate_negotiate_info_req);
+               inbuflen = sizeof(*pneg_inbuf);
         } else {
                 /* otherwise specific dialect was requested */
-               vneg_inbuf.Dialects[0] =
+               pneg_inbuf->Dialects[0] =
                         cpu_to_le16(tcon->ses->server->vals->protocol_id);
-               vneg_inbuf.DialectCount = cpu_to_le16(1);
+               pneg_inbuf->DialectCount = cpu_to_le16(1);
                 /* structure is big enough for 3 dialects, sending only 1 */
-               inbuflen = sizeof(struct validate_negotiate_info_req) - 4;
+               inbuflen = sizeof(*pneg_inbuf) -
+                               sizeof(pneg_inbuf->Dialects[0]) * 2;
         }
  
         rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
                 FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */,
-               (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req),
-               (char **)&pneg_rsp, &rsplen);
+               (char *)pneg_inbuf, inbuflen, (char **)&pneg_rsp, &rsplen);
  
         if (rc != 0) {
                 cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
-               return -EIO;
+               rc = -EIO;
+               goto out_free_inbuf;
         }
  
-       if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
+       rc = -EIO;
+       if (rsplen != sizeof(*pneg_rsp)) {
                 cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n",
                          rsplen);
  
                 /* relax check since Mac returns max bufsize allowed on ioctl */
-               if ((rsplen > CIFSMaxBufSize)
-                    || (rsplen < sizeof(struct validate_negotiate_info_rsp)))
-                       goto err_rsp_free;
+               if (rsplen > CIFSMaxBufSize || rsplen < sizeof(*pneg_rsp))
+                       goto out_free_rsp;
         }
  
         /* check validate negotiate info response matches what we got earlier */
@@ -745,15 +751,17 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
                 goto vneg_out;
  
         /* validate negotiate successful */
+       rc = 0;
         cifs_dbg(FYI, "validate negotiate info successful\n");
-       kfree(pneg_rsp);
-       return 0;
+       goto out_free_rsp;
  
  vneg_out:
         cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n");
-err_rsp_free:
+out_free_rsp:
         kfree(pneg_rsp);
-       return -EIO;
+out_free_inbuf:
+       kfree(pneg_inbuf);
+       return rc;
  }
  
  enum securityEnum
author	Long Li <longli@microsoft.com>
	Wed, 25 Apr 2018 18:30:04 +0000 (11:30 -0700)
committer	Stefan Bader <stefan.bader@canonical.com>
	Mon, 1 Oct 2018 12:58:09 +0000 (14:58 +0200)