ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1653

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	fs/cifs/connect.c
Line in file:	2918
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-10 07:54:05 UTC

Source:

2888                                                        SECMODE_SIGN_ENABLED;
2889
2890                                if (smb_buffer->Flags2 & SMBFLG2_UNICODE) {
2891                                        if ((long) (bcc_ptr) % 2) {
2892                                                remaining_words =
2893                                                    (BCC(smb_buffer_response)
2894                                                     - 1) / 2;
2895                                         /* Must word align unicode strings */
2896                                                bcc_ptr++;
2897                                        } else {
2898                                                remaining_words =
2899                                                    BCC
2900                                                    (smb_buffer_response) / 2;
2901                                        }
2902                                        len =
2903                                            UniStrnlen((wchar_t *) bcc_ptr,
2904                                                       remaining_words - 1);
2905/* We look for obvious messed up bcc or strings in response so we do not go off
2906   the end since (at least) WIN2K and Windows XP have a major bug in not null
2907   terminating last Unicode string in response  */
2908                                        if (ses->serverOS)
2909                                                kfree(ses->serverOS);
2910                                        ses->serverOS =
2911                                            kzalloc(2 * (len + 1), GFP_KERNEL);
2912                                        cifs_strfromUCS_le(ses->serverOS,
2913                                                           (__le16 *)
2914                                                           bcc_ptr, len,
2915                                                           nls_codepage);
2916                                        bcc_ptr += 2 * (len + 1);
2917                                        remaining_words -= len + 1;
2918                                        ses->serverOS[2 * len] = 0;
2919                                        ses->serverOS[1 + (2 * len)] = 0;
2920                                        if (remaining_words > 0) {
2921                                                len = UniStrnlen((wchar_t *)
2922                                                                 bcc_ptr,
2923                                                                 remaining_words
2924                                                                 - 1);
2925                                                kfree(ses->serverNOS);
2926                                                ses->serverNOS =
2927                                                    kzalloc(2 * (len + 1),
2928                                                            GFP_KERNEL);

Show full sources