cifs: check for bytes_remaining going to zero in CIFS_SessSetup

commit fcda7f4578 upstream. It's possible that when we go to decode the string area in the SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at that point will mean that it can go "negative" and wrap. Check for a bytes_remaining value of 0, and don't try to decode the string area if that's the case. Reported-and-Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2026-06-10 04:48:04 +09:00 · 2011-04-27 13:25:51 -04:00
parent 790b1f612d
commit b3f815365f
1 changed files with 3 additions and 1 deletions
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -906,7 +906,9 @@ ssetup_ntlmssp_authenticate:
 	}

 	/* BB check if Unicode and decode strings */
-	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+	if (bytes_remaining == 0) {
+		/* no string area to decode, do nothing */
+	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
 		/* unicode string area must be word-aligned */
 		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
 			++bcc_ptr;