CIFS: Fix possible buffer corruption in cifs_user_read()
authorPavel Shilovsky <pshilovsky@samba.org>
Thu, 10 Jul 2014 06:21:15 +0000 (10:21 +0400)
committerSteve French <smfrench@gmail.com>
Sat, 2 Aug 2014 06:23:04 +0000 (01:23 -0500)
If there was a short read in the middle of the rdata list,
we can end up with a corrupt output buffer.

Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
fs/cifs/file.c

index 3ea6fc86a4718550655d61f9940b1a8c57049a4f..c3390e2c6e0d33a8aa75fe3893270ed6ea31c01f 100644 (file)
@@ -3049,7 +3049,9 @@ again:
                        } else {
                                rc = cifs_readdata_to_iov(rdata, to);
                        }
-
+                       /* if there was a short read -- discard anything left */
+                       if (rdata->got_bytes && rdata->got_bytes < rdata->bytes)
+                               rc = -ENODATA;
                }
                list_del_init(&rdata->list);
                kref_put(&rdata->refcount, cifs_uncached_readdata_release);