[linux-cifs-client] [PATCH 1/2] cifs: fix buffer size for tcon->nativeFileSystem field

Jeff Layton jlayton at redhat.com
Thu Apr 16 17:42:05 GMT 2009


On Thu, 16 Apr 2009 15:41:33 +0000
Dave Kleikamp <shaggy at linux.vnet.ibm.com> wrote:

> On Thu, 2009-04-16 at 11:21 -0400, Jeff Layton wrote:
> > The buffer for this was resized recently to fix a bug. It's still
> > possible however that a malicious server could overflow this field
> > by sending characters in it that are >2 bytes in the local charset.
> > Double the size of the buffer to account for this possibility.
> > 
> > Also get rid of some really strange and seemingly pointless NULL
> > termination. It's NULL terminating the string in the source buffer,
> > but by the time that happens, we've already copied the string.
> > 
> > Signed-off-by: Jeff Layton <jlayton at redhat.com>
> > ---
> >  fs/cifs/connect.c |    7 ++-----
> >  1 files changed, 2 insertions(+), 5 deletions(-)
> > 
> > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> > index 01e280c..1a93604 100644
> > --- a/fs/cifs/connect.c
> > +++ b/fs/cifs/connect.c
> > @@ -3756,16 +3756,13 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
> >  			    BCC(smb_buffer_response)) {
> >  				kfree(tcon->nativeFileSystem);
> >  				tcon->nativeFileSystem =
> > -				    kzalloc(2*(length + 1), GFP_KERNEL);
> > +				    kzalloc((4 * length) + 2, GFP_KERNEL);
> >  				if (tcon->nativeFileSystem)
> >  					cifs_strfromUCS_le(
> >  						tcon->nativeFileSystem,
> >  						(__le16 *) bcc_ptr,
> >  						length, nls_codepage);
> > -				bcc_ptr += 2 * length;
> > -				bcc_ptr[0] = 0;	/* null terminate the string */
> > -				bcc_ptr[1] = 0;
> > -				bcc_ptr += 2;
> > +				bcc_ptr += (2 * length) + 2;
> 
> What's the point of updating bcc_ptr here?  It's not accurate anyway.
> The correct thing would be:
> 
> bcc_ptr += cifs_strfromUCS_le(... );
> 
> but bcc_ptr isn't used again, so there's no point.
> 
> Shaggy
> -- 
> David Kleikamp
> IBM Linux Technology Center

Here's a respun patch that removes the bcc_ptr update.

-- 
Jeff Layton <jlayton at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-cifs-fix-buffer-size-for-tcon-nativeFileSystem-fie.patch
Type: text/x-patch
Size: 1581 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux-cifs-client/attachments/20090416/19f3bb41/0002-cifs-fix-buffer-size-for-tcon-nativeFileSystem-fie.bin


More information about the linux-cifs-client mailing list