Commit 0e55f63d authored by Namjae Jeon's avatar Namjae Jeon Committed by Steve French
Browse files

ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() 



After this commit (e2b76ab8 "ksmbd: add support for read compound"),
response buffer management was changed to use dynamic iov array.
In the new design, smb2_calc_max_out_buf_len() expects the second
argument (hdr2_len) to be the offset of ->Buffer field in the
response structure, not a hardcoded magic number.
Fix the remaining call sites to use the correct offsetof() value.

Cc: stable@vger.kernel.org
Fixes: e2b76ab8 ("ksmbd: add support for read compound")
Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 309b44ed

fs/smb/server/smb2pdu.c

+12 −8
Original line number Diff line number Diff line
@@ -4452,7 +4452,8 @@ int smb2_query_dir(struct ksmbd_work *work) 
	d_info.wptr = (char *)rsp->Buffer;

	d_info.rptr = (char *)rsp->Buffer;

	d_info.out_buf_len =

		smb2_calc_max_out_buf_len(work, 8,

		smb2_calc_max_out_buf_len(work,

				offsetof(struct smb2_query_directory_rsp, Buffer),

				le32_to_cpu(req->OutputBufferLength));

	if (d_info.out_buf_len < 0) {

		rc = -EINVAL;
@@ -4720,7 +4721,8 @@ static int smb2_get_ea(struct ksmbd_work *work, struct ksmbd_file *fp, 
	}



	buf_free_len =

		smb2_calc_max_out_buf_len(work, 8,

		smb2_calc_max_out_buf_len(work,

				offsetof(struct smb2_query_info_rsp, Buffer),

				le32_to_cpu(req->OutputBufferLength));

	if (buf_free_len < 0)

		return -EINVAL;
@@ -5047,7 +5049,8 @@ static int get_file_stream_info(struct ksmbd_work *work, 
	file_info = (struct smb2_file_stream_info *)rsp->Buffer;



	buf_free_len =

		smb2_calc_max_out_buf_len(work, 8,

		smb2_calc_max_out_buf_len(work,

				offsetof(struct smb2_query_info_rsp, Buffer),

				le32_to_cpu(req->OutputBufferLength));

	if (buf_free_len < 0)

		goto out;
@@ -8206,7 +8209,8 @@ int smb2_ioctl(struct ksmbd_work *work) 
	buffer = (char *)req + le32_to_cpu(req->InputOffset);



	cnt_code = le32_to_cpu(req->CtlCode);

	ret = smb2_calc_max_out_buf_len(work, 48,

	ret = smb2_calc_max_out_buf_len(work,

			offsetof(struct smb2_ioctl_rsp, Buffer),

			le32_to_cpu(req->MaxOutputResponse));

	if (ret < 0) {

		rsp->hdr.Status = STATUS_INVALID_PARAMETER;