From: Jeff Layton <jlayton@redhat.com> Subject: [RHEL5.1 PATCH] CIFS: Fix oops when Windows server sends bad domain name null terminator (BZ 224359) Date: Mon, 23 Apr 2007 13:16:28 -0400 Bugzilla: 224359 Message-Id: <20070423171626.GA24895@dantu.rdu.redhat.com> Changelog: [CIFS] Windows server bad domain name null terminator fix This bug and patch were cloned from an FC6 bug. Apparently, some Windows servers do not send the correct terminator for unicode domain names in a session setup response. Under certain conditions (that I've not been able to determine) they send a single a single NULL byte instead of two. This throws off the CIFS client parsing of the session setup reponse and ultimately leads to a panic that looks like the ones in this FC6 BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211672 I've not heard of anyone reporting this issue in RHEL5, but the code there appears to have the same bug. This patch reportedly fixed this problem for several people running fedora kernels. While I don't have a way to really reproduce this, a couple of IBM employees (including the CIFS maintainer) have recommended that we include this patch in RHEL5. ACKs or comments appreciated... commit 8e6f195af0e1f226e9b2e0256af8df46adb9d595 Author: Steve French <sfrench@us.ibm.com> [CIFS] Fix oops when Windows server sent bad domain name null terminator Fixes RedHat bug 211672 Windows sends one byte (instead of two) of null to terminate final Unicode string (domain name) in session setup response in some cases - this caused cifs to misalign some informational strings (making it hard to convert from UCS16 to UTF8). Thanks to Shaggy for his help and Akemi Yagi for debugging/testing Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Steve French <sfrench@us.ibm.com> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index bbdda99..7584646 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -182,11 +182,14 @@ static int decode_unicode_ssetup(char ** pbcc_area, int bleft, struct cifsSesInf cFYI(1,("bleft %d",bleft)); - /* word align, if bytes remaining is not even */ - if(bleft % 2) { - bleft--; - data++; - } + /* SMB header is unaligned, so cifs servers word align start of + Unicode strings */ + data++; + bleft--; /* Windows servers do not always double null terminate + their final Unicode string - in which case we + now will not attempt to decode the byte of junk + which follows it */ + words_left = bleft / 2; /* save off server operating system */