From: Paulo Alcantara <paulo@paulo.ac>
Date: Fri, 15 Jun 2018 15:58:00 -0300
Subject: [PATCH] cifs: Fix invalid check in __cifs_calc_signature()
Git-commit: 83ffdeadb46b61580c4c9a5319bd76d258a2963d
Patch-mainline: v4.18-rc1
References: bsc#1144333
The following check would never evaluate to true:
> if (i == 0 && iov[0].iov_len <= 4)
Because 'i' always starts at 1.
This patch fixes it and also move the header checks outside the for loop
- which makes more sense.
Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/cifsencrypt.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index f23ff848b158..ee2a8ec70056 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -48,26 +48,23 @@ int __cifs_calc_signature(struct smb_rqst *rqst,
/* iov[0] is actual data and not the rfc1002 length for SMB2+ */
if (is_smb2) {
- rc = crypto_shash_update(shash,
- iov[0].iov_base, iov[0].iov_len);
+ if (iov[0].iov_len <= 4)
+ return -EIO;
+ i = 0;
} else {
if (n_vec < 2 || iov[0].iov_len != 4)
return -EIO;
+ i = 1; /* skip rfc1002 length */
}
- for (i = 1; i < n_vec; i++) {
+ for (; i < n_vec; i++) {
if (iov[i].iov_len == 0)
continue;
if (iov[i].iov_base == NULL) {
cifs_dbg(VFS, "null iovec entry\n");
return -EIO;
}
- if (is_smb2) {
- if (i == 0 && iov[0].iov_len <= 4)
- break; /* nothing to sign or corrupt header */
- } else
- if (i == 1 && iov[1].iov_len <= 4)
- break; /* nothing to sign or corrupt header */
+
rc = crypto_shash_update(shash,
iov[i].iov_base, iov[i].iov_len);
if (rc) {
--
2.16.4