From: Jeff Layton <jlayton@redhat.com> Date: Thu, 14 May 2009 11:29:35 -0400 Subject: [fs] cifs: fix error handling in parse_DFS_referrals Message-id: 1242314975-8714-1-git-send-email-jlayton@redhat.com O-Subject: [RHEL5 PATCH] BZ#496577: cifs: fix error handling in parse_DFS_referrals Bugzilla: 496577 RH-Acked-by: Josef Bacik <josef@redhat.com> CVE: CVE-2009-1633 This is a patch to the earlier patch for the unicode buffer overruns. It's a pretty clear problem of mishandled error handling. cifs_strndup_from_ucs returns NULL on error, not an ERR_PTR The patch has been taken upstream by Steve French and he's pushing it to Linus today. Signed-off-by: Jeff Layton <jlayton@redhat.com> diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 256caa5..3a08aa2 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -3986,9 +3986,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr, max_len = data_end - temp; node->path_name = cifs_strndup_from_ucs(temp, max_len, is_unicode, nls_codepage); - if (IS_ERR(node->path_name)) { - rc = PTR_ERR(node->path_name); - node->path_name = NULL; + if (!node->path_name) { + rc = -ENOMEM; goto parse_DFS_referrals_exit; } @@ -3997,11 +3996,8 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr, max_len = data_end - temp; node->node_name = cifs_strndup_from_ucs(temp, max_len, is_unicode, nls_codepage); - if (IS_ERR(node->node_name)) { - rc = PTR_ERR(node->node_name); - node->node_name = NULL; - goto parse_DFS_referrals_exit; - } + if (!node->node_name) + rc = -ENOMEM; } parse_DFS_referrals_exit: