This is a note to let you know that I've just added the patch titled
cifs: change bleft in decode_unicode_ssetup back to signed type
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From bfacf2225a955bea9c41c707fc72ba16009674a0 Mon Sep 17 00:00:00 2001
From: Jeff Layton <[email protected]>
Date: Wed, 27 Apr 2011 13:25:51 -0400
Subject: cifs: change bleft in decode_unicode_ssetup back to signed type
From: Jeff Layton <[email protected]>
commit bfacf2225a955bea9c41c707fc72ba16009674a0 upstream.
The buffer length checks in this function depend on this value being a
signed data type, but 690c522fa converted it to an unsigned type.
Also, eliminate a problem with the null termination check in the same
function. cifs_strndup_from_ucs handles that situation correctly
already, and the existing check could potentially lead to a buffer
overrun since it increments bleft without checking to see whether it
falls off the end of the buffer.
Reported-and-Acked-by: David Howells <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/cifs/sess.c | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -277,7 +277,7 @@ static void ascii_ssetup_strings(char **
}
static void
-decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses,
+decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses,
const struct nls_table *nls_cp)
{
int len;
@@ -285,19 +285,6 @@ decode_unicode_ssetup(char **pbcc_area,
cFYI(1, "bleft %d", bleft);
- /*
- * Windows servers do not always double null terminate their final
- * Unicode string. Check to see if there are an uneven number of bytes
- * left. If so, then add an extra NULL pad byte to the end of the
- * response.
- *
- * See section 2.7.2 in "Implementing CIFS" for details
- */
- if (bleft % 2) {
- data[bleft] = 0;
- ++bleft;
- }
-
kfree(ses->serverOS);
ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp);
cFYI(1, "serverOS=%s", ses->serverOS);
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch
queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
