smb: client: fix wrong index reference in smb2_compound_op()

In smb2_compound_op(), the loop that processes each command's response
uses wrong indices when accessing response bufferes.

This incorrect indexing leads to improper handling of command results.
Also, if incorrectly computed index is greather than or equal to
MAX_COMPOUND, it can cause out-of-bounds accesses.

Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index e32a3f33879339f8ca4e98b85b19f48f7bd99f0e..0985db9f86e5104b44cf55aa4dd5833e45251e25 100644 (file)
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -687,7 +687,7 @@ finished:
        }
 
        for (i = 0; i < num_cmds; i++) {
-               char *buf = rsp_iov[i + i].iov_base;
+               char *buf = rsp_iov[i + 1].iov_base;
 
                if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER)
                        rc = server->ops->map_error(buf, false);