diff options
| author | Long Li <longli@microsoft.com> | 2018-04-25 11:30:04 -0700 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-10-21 08:45:58 +0100 |
| commit | 17aa2271b216c29d92c9dae2c3cd582c25464f60 (patch) | |
| tree | c4c1d96b3f99ec0e920f66c950510331143a6a1c /net/batman-adv | |
| parent | dd928eae0c98b4685eb36b474e61710546875b7d (diff) | |
cifs: Allocate validate negotiation request through kmalloc
commit 2796d303e3c5ec213c578ed3a66872205c126eb8 upstream.
The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will
return an invalid DMA address for a buffer on stack. Even worse, this
incorrect address can't be detected by ib_dma_mapping_error. Sending data
from this address to hardware will not fail, but the remote peer will get
junk data.
Fix this by allocating the request on the heap in smb3_validate_negotiate.
Changes in v2:
Removed duplicated code on freeing buffers on function exit.
(Thanks to Parav Pandit <parav@mellanox.com>)
Fixed typo in the patch title.
Changes in v3:
Added "Fixes" to the patch.
Changed several sizeof() to use *pointer in place of struct.
Changes in v4:
Added detailed comments on the failure through RDMA.
Allocate request buffer using GPF_NOFS.
Fixed possible memory leak.
Changes in v5:
Removed variable ret for checking return value.
Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf.
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks")
Signed-off-by: Long Li <longli@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Tom Talpey <ttalpey@microsoft.com>
[bwh: Backported to 3.16: We only ever pass one dialect]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/batman-adv')
0 files changed, 0 insertions, 0 deletions