[linux-cifs-client] [PATCH 3/5] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host (Try #2)

Suresh Jayaraman sjayaraman at suse.de
Thu May 7 05:03:13 GMT 2009 

I think it is also important to fix an existing problem - using
src buffer length to NULL terminate dst buffer, while at it.
Jeff's patchset uses newly introduced helpers to fix this.

So, here is the revised patch.

Selected minimal hunks of commit 968460ebd8006d55661dec0fb86712b40d71c413.
Also fix an existing problem pointed out by Guenter Kukuk that length of src
is used for NULL termination of dst.

Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
---
 fs/cifs/cifssmb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: linux-2.6.29.2/fs/cifs/cifssmb.c
===================================================================
--- linux-2.6.29.2.orig/fs/cifs/cifssmb.c
+++ linux-2.6.29.2/fs/cifs/cifssmb.c
@@ -91,23 +91,22 @@ static int
 cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
 		 const bool is_unicode, const struct nls_table *nls_codepage)
 {
-	int plen;
+	int src_len, dst_len;
 
 	if (is_unicode) {
-		plen = UniStrnlen((wchar_t *)src, maxlen);
-		*dst = kmalloc(plen + 2, GFP_KERNEL);
+		src_len = UniStrnlen((wchar_t *)src, maxlen);
+		*dst = kmalloc((4 * src_len) + 2, GFP_KERNEL);
 		if (!*dst)
 			goto cifs_strncpy_to_host_ErrExit;
-		cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
+		dst_len = cifs_strfromUCS_le(*dst, (__le16 *)src, src_len, nls_codepage);
+		(*dst)[dst_len + 1] = 0;
 	} else {
-		plen = strnlen(src, maxlen);
-		*dst = kmalloc(plen + 2, GFP_KERNEL);
+		src_len = strnlen(src, maxlen);
+		*dst = kmalloc(src_len + 1, GFP_KERNEL);
 		if (!*dst)
 			goto cifs_strncpy_to_host_ErrExit;
-		strncpy(*dst, src, plen);
+		strlcpy(*dst, src, src_len + 1);
 	}
-	(*dst)[plen] = 0;
-	(*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
 	return 0;
 
 cifs_strncpy_to_host_ErrExit:

Suresh Jayaraman wrote:
> adding missing S-O-B's
> 
> 
> Suresh Jayaraman wrote:
>> From: Suresh Jayaraman <sjayaraman at suse.de>
>> Subject: Fix incorrect destination buffer size in cifs_strncpy_to_host
>>
>> Selected minimal hunks of commit 968460ebd8006d55661dec0fb86712b40d71c413
> 
> Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
> Acked-by: Jeff Layton <jlayton at redhat.com>
> Signed-off-by: Steve French <sfrench at us.ibm.com>
> 
>> ---
>>  fs/cifs/cifssmb.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> Index: linux-2.6.29.2/fs/cifs/cifssmb.c
>> ===================================================================
>> --- linux-2.6.29.2.orig/fs/cifs/cifssmb.c
>> +++ linux-2.6.29.2/fs/cifs/cifssmb.c
>> @@ -95,7 +95,7 @@ cifs_strncpy_to_host(char **dst, const c
>>  
>>  	if (is_unicode) {
>>  		plen = UniStrnlen((wchar_t *)src, maxlen);
>> -		*dst = kmalloc(plen + 2, GFP_KERNEL);
>> +		*dst = kmalloc((4 * plen) + 2, GFP_KERNEL);
>>  		if (!*dst)
>>  			goto cifs_strncpy_to_host_ErrExit;
>>  		cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
>> _______________________________________________
>> linux-cifs-client mailing list
>> linux-cifs-client at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
> 
> 


-- 
Suresh Jayaraman

More information about the linux-cifs-client mailing list