[stable] Patch "cifs: handle errors from coalesce_t2" has been added to the 2.6.38-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    cifs: handle errors from coalesce_t2

to the 2.6.38-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-handle-errors-from-coalesce_t2.patch
and it can be found in the queue-2.6.38 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@kernel.org> know about it.


>From 16541ba11c4f04ffe94b073e301f00b749fb84a1 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlay...@redhat.com>
Date: Fri, 29 Apr 2011 06:52:44 -0400
Subject: cifs: handle errors from coalesce_t2

From: Jeff Layton <jlay...@redhat.com>

commit 16541ba11c4f04ffe94b073e301f00b749fb84a1 upstream.

cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2
responses into the original mid buffer. coalesce_t2 however can return
errors, but the caller doesn't handle that situation properly. Fix the
thread to treat such a case as it would a malformed packet. Mark the
mid as being malformed and issue the callback.

Acked-by: David Howells <dhowe...@redhat.com>
Signed-off-by: Jeff Layton <jlay...@redhat.com>
Signed-off-by: Steve French <sfre...@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 fs/cifs/connect.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -631,12 +631,16 @@ incomplete_rcv:
                                isMultiRsp = true;
                                if (mid_entry->resp_buf) {
                                        /* merge response - fix up 1st*/
-                                       if (coalesce_t2(smb_buffer,
-                                                       mid_entry->resp_buf)) {
+                                       length = coalesce_t2(smb_buffer,
+                                                       mid_entry->resp_buf);
+                                       if (length > 0) {
+                                               length = 0;
                                                mid_entry->multiRsp = true;
                                                break;
                                        } else {
-                                               /* all parts received */
+                                               /* all parts received or
+                                                * packet is malformed
+                                                */
                                                mid_entry->multiEnd = true;
                                                goto multi_t2_fnd;
                                        }


Patches currently in stable-queue which might be from jlay...@redhat.com are

queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch
queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch
queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch
queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch
queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable