Linux-libre 4.4.5-gnupck-4.4.5-gnu

author: André Fabian Silva Delgado <emulatorman@parabola.nu> 2016-03-11 18:08:49 -0300
committer: André Fabian Silva Delgado <emulatorman@parabola.nu> 2016-03-11 18:08:49 -0300
commit: d4e493caf788ef44982e131ff9c786546904d934 (patch)
tree: 04c72e6d295ff6b222c2991ff4b87d16d651443b /fs/cifs/smb2pdu.c
parent: eccbe858ce6412b96fc7cb32eb23a3592f64e5f6 (diff)
1 files changed, 14 insertions, 10 deletions
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 767555518..373b5cd1c 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1109,21 +1109,25 @@ parse_lease_state(struct TCP_Server_Info *server, struct smb2_create_rsp *rsp,
 {
 	char *data_offset;
 	struct create_context *cc;
-	unsigned int next = 0;
+	unsigned int next;
+	unsigned int remaining;
 	char *name;
 
 	data_offset = (char *)rsp + 4 + le32_to_cpu(rsp->CreateContextsOffset);
+	remaining = le32_to_cpu(rsp->CreateContextsLength);
 	cc = (struct create_context *)data_offset;
-	do {
-		cc = (struct create_context *)((char *)cc + next);
+	while (remaining >= sizeof(struct create_context)) {
 		name = le16_to_cpu(cc->NameOffset) + (char *)cc;
-		if (le16_to_cpu(cc->NameLength) != 4 ||
-		    strncmp(name, "RqLs", 4)) {
-			next = le32_to_cpu(cc->Next);
-			continue;
-		}
-		return server->ops->parse_lease_buf(cc, epoch);
-	} while (next != 0);
+		if (le16_to_cpu(cc->NameLength) == 4 &&
+		    strncmp(name, "RqLs", 4) == 0)
+			return server->ops->parse_lease_buf(cc, epoch);
+
+		next = le32_to_cpu(cc->Next);
+		if (!next)
+			break;
+		remaining -= next;
+		cc = (struct create_context *)((char *)cc + next);
+	}
 
 	return 0;
 }
author	André Fabian Silva Delgado <emulatorman@parabola.nu>	2016-03-11 18:08:49 -0300
committer	André Fabian Silva Delgado <emulatorman@parabola.nu>	2016-03-11 18:08:49 -0300
commit	d4e493caf788ef44982e131ff9c786546904d934 (patch)
tree	04c72e6d295ff6b222c2991ff4b87d16d651443b /fs/cifs/smb2pdu.c
parent	eccbe858ce6412b96fc7cb32eb23a3592f64e5f6 (diff)