[linux-cifs-client] [PATCH 1/5] cifs: Fix buffer size for
tcon->nativeFileSystem field
Suresh Jayaraman
sjayaraman at suse.de
Wed May 6 11:33:04 GMT 2009
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 16 11:21:52 2009 -0400
cifs: fix buffer size for tcon->nativeFileSystem field
The buffer for this was resized recently to fix a bug. It's still
possible however that a malicious server could overflow this field
by sending characters in it that are >2 bytes in the local charset.
Double the size of the buffer to account for this possibility.
Also get rid of some really strange and seemingly pointless NULL
termination. It's NULL terminating the string in the source buffer,
but by the time that happens, we've already copied the string.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <sfrench at us.ibm.com>
---
fs/cifs/connect.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
Index: linux-2.6.29.2/fs/cifs/connect.c
===================================================================
--- linux-2.6.29.2.orig/fs/cifs/connect.c
+++ linux-2.6.29.2/fs/cifs/connect.c
@@ -3667,16 +3667,12 @@ CIFSTCon(unsigned int xid, struct cifsSe
BCC(smb_buffer_response)) {
kfree(tcon->nativeFileSystem);
tcon->nativeFileSystem =
- kzalloc(2*(length + 1), GFP_KERNEL);
+ kzalloc((4 * length) + 2, GFP_KERNEL);
if (tcon->nativeFileSystem)
cifs_strfromUCS_le(
tcon->nativeFileSystem,
(__le16 *) bcc_ptr,
length, nls_codepage);
- bcc_ptr += 2 * length;
- bcc_ptr[0] = 0; /* null terminate the string */
- bcc_ptr[1] = 0;
- bcc_ptr += 2;
}
/* else do not bother copying these information fields*/
} else {
More information about the linux-cifs-client
mailing list