3.16.52-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Disseldorp ddiss@suse.de
commit a2d9daad1d2dfbd307ab158044d1c323d7babbde upstream.
An undersize validate negotiate info server response causes the client to use uninitialised memory for struct validate_negotiate_info_rsp comparisons of Dialect, SecurityMode and/or Capabilities members.
Link: https://bugzilla.samba.org/show_bug.cgi?id=13092 Fixes: 7db0a6efdc3e ("SMB3: Work around mount failure when using SMB3 dialect to Macs") Signed-off-by: David Disseldorp ddiss@suse.de Reviewed-by: Pavel Shilovsky pshilov@microsoft.com Signed-off-by: Steve French smfrench@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/cifs/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -535,7 +535,8 @@ int smb3_validate_negotiate(const unsign rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */ - if (rsplen > CIFSMaxBufSize) + if ((rsplen > CIFSMaxBufSize) + || (rsplen < sizeof(struct validate_negotiate_info_rsp))) goto err_rsp_free; }