diff options
author | Steve French <stfrench@microsoft.com> | 2022-07-12 18:43:44 +0200 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2022-08-01 08:34:44 +0200 |
commit | 5fa2cffba0b82336a2244d941322eb1627ff787b (patch) | |
tree | bd80b7d35630355cea0739b43c1df43cbd217151 | |
parent | Linux 5.19 (diff) | |
download | linux-5fa2cffba0b82336a2244d941322eb1627ff787b.tar.xz linux-5fa2cffba0b82336a2244d941322eb1627ff787b.zip |
smb3: check xattr value length earlier
Coverity complains about assigning a pointer based on
value length before checking that value length goes
beyond the end of the SMB. Although this is even more
unlikely as value length is a single byte, and the
pointer is not dereferenced until laterm, it is clearer
to check the lengths first.
Addresses-Coverity: 1467704 ("Speculative execution data leak")
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
-rw-r--r-- | fs/cifs/smb2ops.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 8802995b2d3d..aa4c1d403708 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1145,9 +1145,7 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, size_t name_len, value_len, user_name_len; while (src_size > 0) { - name = &src->ea_data[0]; name_len = (size_t)src->ea_name_length; - value = &src->ea_data[src->ea_name_length + 1]; value_len = (size_t)le16_to_cpu(src->ea_value_length); if (name_len == 0) @@ -1159,6 +1157,9 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, goto out; } + name = &src->ea_data[0]; + value = &src->ea_data[src->ea_name_length + 1]; + if (ea_name) { if (ea_name_len == name_len && memcmp(ea_name, name, name_len) == 0) { |