summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorSteve French <stfrench@microsoft.com>2022-07-12 19:43:44 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-08-25 12:45:53 +0300
commit6a77b03098b1491cbaf23aba3f7e5c981755aef2 (patch)
treea056cc0dee2d6ffa40ce11580cfecd1f8db66d7b /fs
parent14128541cf81047e60168cb6580604f365b04e60 (diff)
downloadlinux-6a77b03098b1491cbaf23aba3f7e5c981755aef2.tar.xz
smb3: check xattr value length earlier
[ Upstream commit 5fa2cffba0b82336a2244d941322eb1627ff787b ] Coverity complains about assigning a pointer based on value length before checking that value length goes beyond the end of the SMB. Although this is even more unlikely as value length is a single byte, and the pointer is not dereferenced until laterm, it is clearer to check the lengths first. Addresses-Coverity: 1467704 ("Speculative execution data leak") Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/smb2ops.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 8802995b2d3d..aa4c1d403708 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1145,9 +1145,7 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size,
size_t name_len, value_len, user_name_len;
while (src_size > 0) {
- name = &src->ea_data[0];
name_len = (size_t)src->ea_name_length;
- value = &src->ea_data[src->ea_name_length + 1];
value_len = (size_t)le16_to_cpu(src->ea_value_length);
if (name_len == 0)
@@ -1159,6 +1157,9 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size,
goto out;
}
+ name = &src->ea_data[0];
+ value = &src->ea_data[src->ea_name_length + 1];
+
if (ea_name) {
if (ea_name_len == name_len &&
memcmp(ea_name, name, name_len) == 0) {