Dan Carpenter 2d204ee9d6 cifs: integer overflow in in SMB2_ioctl() ...

The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.

Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
CC: Stable <stable@vger.kernel.org>

2018-09-12 09:32:07 -05:00

..

9p

Pull request for inclusion in 4.19, take two

2018-08-17 17:27:58 -07:00

adfs

adfs: use timespec64 for time conversion

2018-08-22 10:52:51 -07:00

affs

affs: fix potential memory leak when parsing option 'prefix'

2018-05-28 12:36:41 +02:00

afs

afs: Fix cell specification to permit an empty address list

2018-09-07 16:39:44 -07:00

autofs

Merge branch 'akpm' (patches from Andrew)

2018-08-22 12:34:08 -07:00

befs

fix a series of Documentation/ broken file name references

2018-06-15 18:10:01 -03:00

bfs

bfs_add_entry: pass name/len as qstr pointer

2018-05-22 14:27:50 -04:00

btrfs

for-4.19-rc2-tag

2018-09-06 09:04:45 -07:00

cachefiles

cachefiles: Wait rather than BUG'ing on "Unexpected object collision"

2018-07-25 14:49:00 +01:00

ceph

ceph: avoid a use-after-free in ceph_destroy_options()

2018-09-06 16:18:04 +02:00

cifs

cifs: integer overflow in in SMB2_ioctl()

2018-09-12 09:32:07 -05:00

coda

vfs: change inode times to use struct timespec64

2018-06-05 16:57:31 -07:00

configfs

configfs: fix registered group removal

2018-07-17 06:14:07 -07:00

cramfs

vfs/y2038: inode timestamps conversion to timespec64

2018-06-15 07:31:07 +09:00

crypto

f2fs-for-4.18-rc1

2018-06-11 10:16:13 -07:00

debugfs

Revert "debugfs: inode: debugfs_create_dir uses mode permission from parent"

2018-06-12 20:52:16 -07:00

devpts

devpts: Convert to new IDA API

2018-08-21 23:54:17 -04:00

dlm

treewide: Use array_size() in vmalloc()

2018-06-12 16:19:22 -07:00

ecryptfs

Merge branch 'fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into aio-base

2018-05-26 09:16:25 +02:00

efivarfs

efivars: Call guid_parse() against guid_t type of variable

2018-07-22 14:13:44 +02:00

efs

…

exofs

exofs: use bio_clone_fast in _write_mirror

2018-07-24 14:43:20 -06:00

exportfs

ovl: do not try to reconnect a disconnected origin dentry

2018-04-12 12:04:49 +02:00

ext2

Merge branch 'akpm' (patches from Andrew)

2018-08-17 16:49:31 -07:00

ext4

ext4: readpages() should submit IO as read-ahead

2018-08-17 16:20:29 -07:00

f2fs

f2fs-for-4.19-rc1

2018-08-22 13:29:39 -07:00

fat

fat: propagate 64-bit inode timestamps

2018-08-22 10:52:50 -07:00

freevxfs

freevxfs_lookup(): use d_splice_alias()

2018-05-22 14:27:51 -04:00

fscache

fscache: Fix reference overput in fscache_attach_object() error handling

2018-07-25 14:49:00 +01:00

fuse

fuse update for 4.19

2018-08-21 18:47:36 -07:00

gfs2

gfs2 4.19 merge

2018-08-15 22:40:03 -07:00

hfs

hfs: prevent crash on exit from failed search

2018-08-23 18:48:42 -07:00

hfsplus

hfsplus: prevent crash on exit from failed search

2018-08-23 18:48:42 -07:00

hostfs

vfs: discard ATTR_ATTR_FLAG

2018-08-17 16:20:28 -07:00

hpfs

hpfs: remove unnecessary checks on the value of r when assigning error code

2018-08-25 12:42:33 -07:00

hugetlbfs

mm: zero out the vma in vma_init()

2018-08-22 10:52:44 -07:00

isofs

isofs: reject hardware sector size > 2048 bytes

2018-08-21 11:37:41 +02:00

jbd2

jbd2: replace current_kernel_time64 with ktime equivalent

2018-07-29 15:51:47 -04:00

jffs2

jffs2: use unsigned 32-bit timstamps consistently

2018-07-18 16:44:01 +02:00

jfs

Just one jfs patch for 4.19

2018-08-15 22:47:23 -07:00

kernfs

Driver core patches for 4.19-rc1

2018-08-18 11:44:53 -07:00

lockd

nfsd: fix leaked file lock with nfs exported overlayfs

2018-08-09 16:11:21 -04:00

minix

minix_lookup: use d_splice_alias()

2018-05-22 14:27:52 -04:00

nfs

NFS client updates for Linux 4.19

2018-08-23 16:03:58 -07:00

nfs_common

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

nfsd

A mistake on my part caused me to tag my branch 6 commits too early,

2018-08-23 16:00:10 -07:00

nilfs2

nilfs2: convert to SPDX license tags

2018-09-04 16:45:02 -07:00

nls

…

notify

fsnotify: fix ignore mask logic in fsnotify()

2018-09-03 14:57:41 +02:00

ntfs

ntfs: mft: remove VLA usage

2018-08-17 16:20:27 -07:00

ocfs2

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

omfs

omfs_lookup(): report IO errors, use d_splice_alias()

2018-05-22 14:27:58 -04:00

openpromfs

openpromfs: switch to d_splice_alias()

2018-05-22 14:27:57 -04:00

orangefs

orangefs: remove redundant pointer orangefs_inode

2018-08-14 12:07:14 -04:00

overlayfs

ovl: set I_CREATING on inode being created

2018-08-22 13:15:25 -07:00

proc

Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

2018-08-26 11:25:21 -07:00

pstore

pstore: add zstd compression support

2018-08-03 18:12:18 -07:00

qnx4

qnx4_lookup: use d_splice_alias()

2018-05-22 14:27:52 -04:00

qnx6

qnx6_lookup: switch to d_splice_alias()

2018-05-22 14:27:54 -04:00

quota

fs/quota: Fix spectre gadget in do_quotactl

2018-08-22 18:17:48 +02:00

ramfs

…

reiserfs

reiserfs: fix broken xattr handling (heap corruption, bad retval)

2018-08-22 10:52:50 -07:00

romfs

romfs_lookup: switch to d_splice_alias()

2018-05-22 14:27:55 -04:00

squashfs

Squashfs: Compute expected length from inode size rather than block length

2018-08-02 09:34:02 -07:00

sysfs

Driver core patches for 4.19-rc1

2018-08-18 11:44:53 -07:00

sysv

fs/sysv/inode.c: use ktime_get_real_seconds() for superblock stamp

2018-08-22 10:52:51 -07:00

tracefs

tracefs: Annotate tracefs_ops with __ro_after_init

2018-07-31 11:32:44 -04:00

ubifs

ubifs: Remove empty file.h

2018-08-24 13:50:07 +02:00

udf

udf: Fix mounting of Win7 created UDF filesystems

2018-08-24 11:13:32 +02:00

ufs

fs/ufs: use ktime_get_real_seconds for sb and cg timestamps

2018-08-17 16:20:27 -07:00

xfs

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

aio.c

Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2018-08-13 20:56:23 -07:00

anon_inodes.c

anon_inode_getfile(): switch to alloc_file_pseudo()

2018-07-12 10:04:27 -04:00

attr.c

fs: Fix attr.c kernel-doc

2018-07-03 16:44:45 -04:00

bad_inode.c

get rid of 'opened' argument of ->atomic_open() - part 3

2018-07-12 10:04:20 -04:00

binfmt_aout.c

exec: introduce finalize_exec() before start_thread()

2018-04-11 10:28:37 -07:00

binfmt_elf_fdpic.c

treewide: kmalloc() -> kmalloc_array()

2018-06-12 16:19:22 -07:00

binfmt_elf.c

Here are the main MIPS changes for 4.19.

2018-08-13 19:24:32 -07:00

binfmt_em86.c

…

binfmt_flat.c

exec: introduce finalize_exec() before start_thread()

2018-04-11 10:28:37 -07:00

binfmt_misc.c

turn filp_clone_open() into inline wrapper for dentry_open()

2018-07-10 23:29:03 -04:00

binfmt_script.c

…

block_dev.c

for-4.19/block-20180812

2018-08-14 10:23:25 -07:00

buffer.c

notifier: Remove notifier header file wherever not used

2018-08-30 12:56:40 +02:00

char_dev.c

block, char_dev: Use correct format specifier for unsigned ints

2018-03-15 17:59:24 +01:00

compat_binfmt_elf.c

…

compat_ioctl.c

media: dvb/audio.h: get rid of unused APIs

2018-07-30 16:21:49 -04:00

compat.c

ncpfs: remove compat functionality

2018-06-05 19:23:26 +02:00

coredump.c

…

d_path.c

split d_path() and friends into a separate file

2018-03-29 15:07:46 -04:00

dax.c

libnvdimm-for-4.19_dax-memory-failure

2018-08-25 18:43:59 -07:00

dcache.c

fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()

2018-08-17 16:20:28 -07:00

dcookies.c

fs: add do_lookup_dcookie() helper; remove in-kernel call to syscall

2018-04-02 20:15:39 +02:00

direct-io.c

block: consistently use GFP_NOIO instead of __GFP_NORECLAIM

2018-05-14 08:55:18 -06:00

drop_caches.c

…

eventfd.c

Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL

2018-06-28 10:40:47 -07:00

eventpoll.c

fs/eventpoll.c: simplify ep_is_linked() callers

2018-08-22 10:52:49 -07:00

exec.c

Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2018-08-21 13:47:29 -07:00

fcntl.c

signal: Don't send signals to tasks that don't exist

2018-08-15 23:03:20 -05:00

fhandle.c

…

file_table.c

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

file.c

fs: add ksys_close() wrapper; remove in-kernel calls to sys_close()

2018-04-02 20:16:00 +02:00

filesystems.c

proc: introduce proc_create_single{,_data}

2018-05-16 07:23:35 +02:00

fs_pin.c

…

fs_struct.c

…

fs-writeback.c

bdi: Fix oops in wb_workfn()

2018-05-03 16:11:37 -06:00

inode.c

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

internal.h

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

ioctl.c

vfs: export vfs_ioctl() to modules

2018-07-18 15:44:40 +02:00

iomap.c

Changes since last update:

2018-08-21 18:15:47 -07:00

Kconfig

autofs: remove left-over autofs4 stubs

2018-06-11 08:22:34 -07:00

Kconfig.binfmt

kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt

2018-08-02 08:06:55 +09:00

libfs.c

fs, dax: prepare for dax-specific address_space_operations

2018-03-30 11:34:55 -07:00

locks.c

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

Makefile

autofs: remove left-over autofs4 stubs

2018-06-11 08:22:34 -07:00

mbcache.c

treewide: kmalloc() -> kmalloc_array()

2018-06-12 16:19:22 -07:00

mount.h

…

mpage.c

mpage: mpage_readpages() should submit IO as read-ahead

2018-08-17 16:20:29 -07:00

namei.c

namei: allow restricted O_CREAT of FIFOs and regular files

2018-08-23 18:48:43 -07:00

namespace.c

Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax

2018-08-26 11:48:42 -07:00

no-block.c

…

nsfs.c

net: Export open_related_ns()

2018-02-15 15:34:42 -05:00

open.c

overlayfs update for 4.19

2018-08-21 18:19:09 -07:00

pipe.c

Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2018-08-13 19:58:36 -07:00

pnode.c

…

pnode.h

…

posix_acl.c

…

proc_namespace.c

vfs: do bulk POLL* -> EPOLL* replacement

2018-02-11 14:34:03 -08:00

read_write.c

vfs: export vfs_dedupe_file_range_one() to modules

2018-07-18 15:44:40 +02:00

readdir.c

fs: add ksys_getdents64() helper; remove in-kernel calls to sys_getdents64()

2018-04-02 20:16:02 +02:00

select.c

Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL

2018-06-28 10:40:47 -07:00

seq_file.c

fs/seq_file.c: simplify seq_file iteration code and interface

2018-08-17 16:20:28 -07:00

signalfd.c

Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2018-06-16 16:21:50 +09:00

splice.c

Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2018-06-16 16:21:50 +09:00

stack.c

…

stat.c

fs: add do_readlinkat() helper; remove internal call to sys_readlinkat()

2018-04-02 20:15:34 +02:00

statfs.c

kernel: add kcompat_sys_{f,}statfs64()

2018-07-12 14:49:48 +01:00

super.c

Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax

2018-08-26 11:48:42 -07:00

sync.c

Changes for this release:

2018-04-04 12:44:02 -07:00

timerfd.c

Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2018-08-13 20:56:23 -07:00

userfaultfd.c

mm: Change return type int to vm_fault_t for fault handlers

2018-08-23 18:48:44 -07:00

utimes.c

fs: add do_compat_futimesat() helper; remove in-kernel call to compat syscall

2018-04-02 20:15:44 +02:00

xattr.c

Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

2018-08-24 09:25:39 -07:00