cifs: fix bi-directional fsctl passthrough calls

SMB2 Ioctl responses from servers may respond with both the request blob from
the client followed by the actual reply blob for ioctls that are bi-directional.

In that case we can not assume that the reply blob comes immediately after the
ioctl response structure.

This fixes FSCTLs such as SMB2:FSCTL_QUERY_ALLOCATED_RANGES

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 08ff044fbb4b84a6d8f7889903cb2478f98ec3dc..4002e1433ccbada803e808fa74918706a19fa64c 100644 (file)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1462,12 +1462,19 @@ smb2_ioctl_query_info(const unsigned int xid,
                io_rsp = (struct smb2_ioctl_rsp *)rsp_iov[1].iov_base;
                if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length)
                        qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
+               if (qi.input_buffer_length > 0 &&
+                   le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length > rsp_iov[1].iov_len) {
+                       rc = -EFAULT;
+                       goto iqinf_exit;
+               }
                if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length,
                                 sizeof(qi.input_buffer_length))) {
                        rc = -EFAULT;
                        goto iqinf_exit;
                }
-               if (copy_to_user(pqi + 1, &io_rsp[1], qi.input_buffer_length)) {
+               if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
+                                (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
+                                qi.input_buffer_length)) {
                        rc = -EFAULT;
                        goto iqinf_exit;
                }