Showing error 1656

User: Jiri Slaby
Error type: Invalid Pointer Dereference
Error type description: A pointer which is invalid is being dereferenced
File location: fs/cifs/connect.c
Line in file: 3320
Project: Linux Kernel
Project version: 2.6.28
Tools: Smatch (1.59)
Entered: 2013-09-10 07:54:05 UTC

Source: 

3290                                              blob_len));
3291                                }
3292
3293                                cFYI(1,
3294                                     ("NTLMSSP response to Authenticate "));
3295
3296                                if (smb_buffer->Flags2 & SMBFLG2_UNICODE) {
3297                                        if ((long) (bcc_ptr) % 2) {
3298                                                remaining_words =
3299                                                    (BCC(smb_buffer_response)
3300                                                     - 1) / 2;
3301                                                bcc_ptr++;        /* Unicode strings must be word aligned */
3302                                        } else {
3303                                                remaining_words = BCC(smb_buffer_response) / 2;
3304                                        }
3305                                        len = UniStrnlen((wchar_t *) bcc_ptr,
3306                                                        remaining_words - 1);
3307/* We look for obvious messed up bcc or strings in response so we do not go off
3308  the end since (at least) WIN2K and Windows XP have a major bug in not null
3309  terminating last Unicode string in response  */
3310                                        if (ses->serverOS)
3311                                                kfree(ses->serverOS);
3312                                        ses->serverOS =
3313                                            kzalloc(2 * (len + 1), GFP_KERNEL);
3314                                        cifs_strfromUCS_le(ses->serverOS,
3315                                                           (__le16 *)
3316                                                           bcc_ptr, len,
3317                                                           nls_codepage);
3318                                        bcc_ptr += 2 * (len + 1);
3319                                        remaining_words -= len + 1;
3320                                        ses->serverOS[2 * len] = 0;
3321                                        ses->serverOS[1 + (2 * len)] = 0;
3322                                        if (remaining_words > 0) {
3323                                                len = UniStrnlen((wchar_t *)
3324                                                                 bcc_ptr,
3325                                                                 remaining_words
3326                                                                 - 1);
3327                                                kfree(ses->serverNOS);
3328                                                ses->serverNOS =
3329                                                    kzalloc(2 * (len + 1),
3330                                                            GFP_KERNEL);
Show full sources