<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/cifs, branch linux-3.1.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>cifs: check for NULL last_entry before calling cifs_save_resume_key</title>
<updated>2011-12-21T20:58:30+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2011-12-02T01:23:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5bf4dba2647ee7eb377cb0f809d7abea461d34ae'/>
<id>5bf4dba2647ee7eb377cb0f809d7abea461d34ae</id>
<content type='text'>
commit 7023676f9ee851d94f0942e879243fc1f9081c47 upstream.

Prior to commit eaf35b1, cifs_save_resume_key had some NULL pointer
checks at the top. It turns out that at least one of those NULL
pointer checks is needed after all.

When the LastNameOffset in a FIND reply appears to be beyond the end of
the buffer, CIFSFindFirst and CIFSFindNext will set srch_inf.last_entry
to NULL. Since eaf35b1, the code will now oops in this situation.

Fix this by having the callers check for a NULL last entry pointer
before calling cifs_save_resume_key. No change is needed for the
call site in cifs_readdir as it's not reachable with a NULL
current_entry pointer.

This should fix:

    https://bugzilla.redhat.com/show_bug.cgi?id=750247

Cc: Christoph Hellwig &lt;hch@infradead.org&gt;
Reported-by: Adam G. Metzler &lt;adamgmetzler@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7023676f9ee851d94f0942e879243fc1f9081c47 upstream.

Prior to commit eaf35b1, cifs_save_resume_key had some NULL pointer
checks at the top. It turns out that at least one of those NULL
pointer checks is needed after all.

When the LastNameOffset in a FIND reply appears to be beyond the end of
the buffer, CIFSFindFirst and CIFSFindNext will set srch_inf.last_entry
to NULL. Since eaf35b1, the code will now oops in this situation.

Fix this by having the callers check for a NULL last entry pointer
before calling cifs_save_resume_key. No change is needed for the
call site in cifs_readdir as it's not reachable with a NULL
current_entry pointer.

This should fix:

    https://bugzilla.redhat.com/show_bug.cgi?id=750247

Cc: Christoph Hellwig &lt;hch@infradead.org&gt;
Reported-by: Adam G. Metzler &lt;adamgmetzler@gmail.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix DFS handling in cifs_get_file_info</title>
<updated>2011-11-11T17:42:10+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>piastry@etersoft.ru</email>
</author>
<published>2011-10-22T10:37:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=436318f9b483fa56bbecd8316b921f5876eddc14'/>
<id>436318f9b483fa56bbecd8316b921f5876eddc14</id>
<content type='text'>
commit 42274bb22afc3e877ae5abed787b0b09d7dede52 upstream.

We should call cifs_all_info_to_fattr in rc == 0 case only.

Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 42274bb22afc3e877ae5abed787b0b09d7dede52 upstream.

We should call cifs_all_info_to_fattr in rc == 0 case only.

Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix incorrect max RFC1002 write size value</title>
<updated>2011-11-11T17:42:10+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>piastry@etersoft.ru</email>
</author>
<published>2011-10-07T14:57:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=405a281820d8be91ca88d160560770aa6df26679'/>
<id>405a281820d8be91ca88d160560770aa6df26679</id>
<content type='text'>
commit 94443f43404239c2a6dc4252a7cb9e77f5b1eb6e upstream.

..the length field has only 17 bits.

Acked-by: Jeff Layton &lt;jlayton@samba.org&gt;
Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 94443f43404239c2a6dc4252a7cb9e77f5b1eb6e upstream.

..the length field has only 17 bits.

Acked-by: Jeff Layton &lt;jlayton@samba.org&gt;
Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>[CIFS] Fix first time message on mount, ntlmv2 upgrade delayed to 3.2</title>
<updated>2011-10-08T01:17:56+00:00</updated>
<author>
<name>Steve French</name>
<email>sfrench@us.ibm.com</email>
</author>
<published>2011-10-07T04:14:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9d1e397b7bafe843564eab26ed3f682637159c6c'/>
<id>9d1e397b7bafe843564eab26ed3f682637159c6c</id>
<content type='text'>
Microsoft has a bug with ntlmv2 that requires use of ntlmssp, but
we didn't get the required information on when/how to use ntlmssp to
old (but once very popular) legacy servers (various NT4 fixpacks
for example) until too late to merge for 3.1.  Will upgrade
to NTLMv2 in NTLMSSP in 3.2

Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Microsoft has a bug with ntlmv2 that requires use of ntlmssp, but
we didn't get the required information on when/how to use ntlmssp to
old (but once very popular) legacy servers (various NT4 fixpacks
for example) until too late to merge for 3.1.  Will upgrade
to NTLMv2 in NTLMSSP in 3.2

Signed-off-by: Steve French &lt;smfrench@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: Fix broken sec=ntlmv2/i sec option (try #2)</title>
<updated>2011-09-20T02:16:58+00:00</updated>
<author>
<name>Shirish Pargaonkar</name>
<email>shirishpargaonkar@gmail.com</email>
</author>
<published>2011-08-25T04:05:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cfbd6f84c2e26c13ded16b6bb0871edb7d75974f'/>
<id>cfbd6f84c2e26c13ded16b6bb0871edb7d75974f</id>
<content type='text'>
Fix sec=ntlmv2/i authentication option during mount of Samba shares.

cifs client was coding ntlmv2 response incorrectly.
All that is needed in temp as specified in MS-NLMP seciton 3.3.2

"Define ComputeResponse(NegFlg, ResponseKeyNT, ResponseKeyLM,
CHALLENGE_MESSAGE.ServerChallenge, ClientChallenge, Time, ServerName)

as
Set temp to ConcatenationOf(Responserversion, HiResponserversion,
Z(6), Time, ClientChallenge, Z(4), ServerName, Z(4)"

is MsvAvNbDomainName.

For sec=ntlmsspi, build_av_pair is not used, a blob is plucked from
type 2 response sent by the server to use in authentication.

I tested sec=ntlmv2/i and sec=ntlmssp/i mount options against
Samba (3.6) and Windows - XP, 2003 Server and 7.
They all worked.

Signed-off-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix sec=ntlmv2/i authentication option during mount of Samba shares.

cifs client was coding ntlmv2 response incorrectly.
All that is needed in temp as specified in MS-NLMP seciton 3.3.2

"Define ComputeResponse(NegFlg, ResponseKeyNT, ResponseKeyLM,
CHALLENGE_MESSAGE.ServerChallenge, ClientChallenge, Time, ServerName)

as
Set temp to ConcatenationOf(Responserversion, HiResponserversion,
Z(6), Time, ClientChallenge, Z(4), ServerName, Z(4)"

is MsvAvNbDomainName.

For sec=ntlmsspi, build_av_pair is not used, a blob is plucked from
type 2 response sent by the server to use in authentication.

I tested sec=ntlmv2/i and sec=ntlmssp/i mount options against
Samba (3.6) and Windows - XP, 2003 Server and 7.
They all worked.

Signed-off-by: Shirish Pargaonkar &lt;shirishpargaonkar@gmail.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Fix the conflict between rwpidforward and rw mount options</title>
<updated>2011-09-20T02:16:20+00:00</updated>
<author>
<name>Steve French</name>
<email>sfrench@us.ibm.com</email>
</author>
<published>2011-08-29T18:54:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c9c7fa0064f4afe1d040e72f24c2256dd8ac402d'/>
<id>c9c7fa0064f4afe1d040e72f24c2256dd8ac402d</id>
<content type='text'>
Both these options are started with "rw" - that's why the first one
isn't switched on even if it is specified. Fix this by adding a length
check for "rw" option check.

Cc: &lt;stable@kernel.org&gt;
Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Both these options are started with "rw" - that's why the first one
isn't switched on even if it is specified. Fix this by adding a length
check for "rw" option check.

Cc: &lt;stable@kernel.org&gt;
Signed-off-by: Pavel Shilovsky &lt;piastry@etersoft.ru&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>CIFS: Fix ERR_PTR dereference in cifs_get_root</title>
<updated>2011-09-20T02:15:03+00:00</updated>
<author>
<name>Pavel Shilovsky</name>
<email>piastryyy@gmail.com</email>
</author>
<published>2011-08-21T15:30:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b980b01212199833ee8023770fa4cbf1b85e9f4'/>
<id>5b980b01212199833ee8023770fa4cbf1b85e9f4</id>
<content type='text'>
move it to the beginning of the loop.

Signed-off-by: Pavel Shilovsky &lt;piastryyy@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
move it to the beginning of the loop.

Signed-off-by: Pavel Shilovsky &lt;piastryyy@gmail.com&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cifs: fix possible memory corruption in CIFSFindNext</title>
<updated>2011-09-20T02:14:40+00:00</updated>
<author>
<name>Jeff Layton</name>
<email>jlayton@redhat.com</email>
</author>
<published>2011-08-23T11:21:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9438fabb73eb48055b58b89fc51e0bc4db22fabd'/>
<id>9438fabb73eb48055b58b89fc51e0bc4db22fabd</id>
<content type='text'>
The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.

If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.

Fix this by making the name_len an unsigned value in CIFSFindNext.

Cc: &lt;stable@kernel.org&gt;
Reported-by: Darren Lavender &lt;dcl@hppine99.gbr.hp.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.

If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.

Fix this by making the name_len an unsigned value in CIFSFindNext.

Cc: &lt;stable@kernel.org&gt;
Reported-by: Darren Lavender &lt;dcl@hppine99.gbr.hp.com&gt;
Signed-off-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>update cifs version to 1.75</title>
<updated>2011-08-18T16:55:10+00:00</updated>
<author>
<name>Steve French</name>
<email>sfrench@us.ibm.com</email>
</author>
<published>2011-08-18T04:44:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=04c05b4a68c0ab0d6bb41c710a646e56f62a70a3'/>
<id>04c05b4a68c0ab0d6bb41c710a646e56f62a70a3</id>
<content type='text'>
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[CIFS] possible memory corruption on mount</title>
<updated>2011-08-18T16:53:02+00:00</updated>
<author>
<name>Steve French</name>
<email>sfrench@us.ibm.com</email>
</author>
<published>2011-08-18T04:41:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=13589c437daf4c8e429b3236c0b923de1c9420d8'/>
<id>13589c437daf4c8e429b3236c0b923de1c9420d8</id>
<content type='text'>
CIFS cleanup_volume_info_contents() looks like having a memory
corruption problem.
When UNCip is set to "&amp;vol-&gt;UNC[2]" in cifs_parse_mount_options(), it
should not be kfree()-ed in cleanup_volume_info_contents().

Introduced in commit b946845a9dc523c759cae2b6a0f6827486c3221a

Signed-off-by: J.R. Okajima &lt;hooanon05@yahoo.co.jp&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
CC: Stable &lt;stable@kernel.org&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
CIFS cleanup_volume_info_contents() looks like having a memory
corruption problem.
When UNCip is set to "&amp;vol-&gt;UNC[2]" in cifs_parse_mount_options(), it
should not be kfree()-ed in cleanup_volume_info_contents().

Introduced in commit b946845a9dc523c759cae2b6a0f6827486c3221a

Signed-off-by: J.R. Okajima &lt;hooanon05@yahoo.co.jp&gt;
Reviewed-by: Jeff Layton &lt;jlayton@redhat.com&gt;
CC: Stable &lt;stable@kernel.org&gt;
Signed-off-by: Steve French &lt;sfrench@us.ibm.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
