cifs: fix buffer overrun in parse_DFS_referrals

[linux-2.6-omap-h63xx.git] / fs / cifs / cifssmb.c

diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index e6bb2d9d5b091e8407e7721a21fe3916576b3104..6d51696dc762d3b6656ed027fe2d7ed40d549409 100644 (file)
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -295,7 +295,7 @@ smb_init(int smb_command, int wct, struct cifsTconInfo *tcon,
           check for tcp and smb session status done differently
           for those three - in the calling routine */
        if (tcon) {
-               if (tcon->need_reconnect) {
+               if (tcon->tidStatus == CifsExiting) {
                        /* only tree disconnect, open, and write,
                          (and ulogoff which does not have tcon)
                          are allowed as we start force umount */
@@ -3899,6 +3899,27 @@ GetInodeNumOut:
        return rc;
 }
 
+/* computes length of UCS string converted to host codepage
+ * @src:       UCS string
+ * @maxlen:    length of the input string in UCS characters
+ *             (not in bytes)
+ *
+ * return:     size of input string in host codepage
+ */
+static int hostlen_fromUCS(const __le16 *src, const int maxlen,
+               const struct nls_table *nls_codepage) {
+       int i;
+       int hostlen = 0;
+       char to[4];
+       int charlen;
+       for (i = 0; (i < maxlen) && src[i]; ++i) {
+               charlen = nls_codepage->uni2char(le16_to_cpu(src[i]),
+                               to, NLS_MAX_CHARSET_SIZE);
+               hostlen += charlen > 0 ? charlen : 1;
+       }
+       return hostlen;
+}
+
 /* parses DFS refferal V3 structure
  * caller is responsible for freeing target_nodes
  * returns:
@@ -3909,7 +3930,8 @@ static int
 parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
                unsigned int *num_of_nodes,
                struct dfs_info3_param **target_nodes,
-               const struct nls_table *nls_codepage)
+               const struct nls_table *nls_codepage, int remap,
+               const char *searchName)
 {
        int i, rc = 0;
        char *data_end;
@@ -3960,7 +3982,18 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
                struct dfs_info3_param *node = (*target_nodes)+i;
 
                node->flags = le16_to_cpu(pSMBr->DFSFlags);
-               node->path_consumed = le16_to_cpu(pSMBr->PathConsumed);
+               if (is_unicode) {
+                       __le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
+                                               GFP_KERNEL);
+                       cifsConvertToUCS((__le16 *) tmp, searchName,
+                                       PATH_MAX, nls_codepage, remap);
+                       node->path_consumed = hostlen_fromUCS(tmp,
+                                       le16_to_cpu(pSMBr->PathConsumed)/2,
+                                       nls_codepage);
+                       kfree(tmp);
+               } else
+                       node->path_consumed = le16_to_cpu(pSMBr->PathConsumed);
+
                node->server_type = le16_to_cpu(ref->ServerType);
                node->ref_flag = le16_to_cpu(ref->ReferralEntryFlags);
 
@@ -4093,7 +4126,8 @@ getDFSRetry:
 
        /* parse returned result into more usable form */
        rc = parse_DFS_referrals(pSMBr, num_of_nodes,
-                                target_nodes, nls_codepage);
+                                target_nodes, nls_codepage, remap,
+                                searchName);
 
 GetDFSRefExit:
        cifs_buf_release(pSMB);