From: Jeff Layton <jlayton@redhat.com>
Date: Wed, 27 Apr 2011 17:25:51 +0000 (-0400)
Subject: cifs: check for bytes_remaining going to zero in CIFS_SessSetup
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=fcda7f4578bbf9717444ca6da8a421d21489d078;p=openwrt%2Fstaging%2Fblogic.git

cifs: check for bytes_remaining going to zero in CIFS_SessSetup

It's possible that when we go to decode the string area in the
SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
that point will mean that it can go "negative" and wrap. Check for a
bytes_remaining value of 0, and don't try to decode the string area if
that's the case.

Cc: stable@kernel.org
Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
---

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 2e2c91103529..645114ad0a10 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -916,7 +916,9 @@ ssetup_ntlmssp_authenticate:
 	}
 
 	/* BB check if Unicode and decode strings */
-	if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
+	if (bytes_remaining == 0) {
+		/* no string area to decode, do nothing */
+	} else if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
 		/* unicode string area must be word-aligned */
 		if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
 			++bcc_ptr;