[PATCH v2] cifs: extend the buffer length enought for sprintf() using
Steve French
smfrench at gmail.com
Fri Jul 19 10:18:23 MDT 2013
Added CC: <stable at vger.kernel.org>
On Fri, Jul 19, 2013 at 10:46 AM, Steve French <smfrench at gmail.com> wrote:
> merged into cifs-2.6.git
>
> On Fri, Jul 19, 2013 at 5:45 AM, Jeff Layton <jlayton at redhat.com> wrote:
>> On Fri, 19 Jul 2013 09:01:36 +0800
>> Chen Gang <gang.chen at asianux.com> wrote:
>>
>>> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
>>> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
>>> length may be "255 + '\0'".
>>>
>>> The related sprintf() may cause memory overflow, so need extend related
>>> buffer enough to hold all things.
>>>
>>> It is also necessary to be sure of 'ses->domainName' must be less than
>>> 256, and define the related macro instead of hard code number '256'.
>>>
>>> Signed-off-by: Chen Gang <gang.chen at asianux.com>
>>> ---
>>> fs/cifs/cifsencrypt.c | 2 +-
>>> fs/cifs/cifsglob.h | 1 +
>>> fs/cifs/connect.c | 7 ++++---
>>> fs/cifs/sess.c | 6 +++---
>>> 4 files changed, 9 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
>>> index 45e57cc..bb84d7c 100644
>>> --- a/fs/cifs/cifsencrypt.c
>>> +++ b/fs/cifs/cifsencrypt.c
>>> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
>>> if (blobptr + attrsize > blobend)
>>> break;
>>> if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
>>> - if (!attrsize)
>>> + if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE)
>>> break;
>>> if (!ses->domainName) {
>>> ses->domainName =
>>> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>>> index 33f17ed..64bb4c5 100644
>>> --- a/fs/cifs/cifsglob.h
>>> +++ b/fs/cifs/cifsglob.h
>>> @@ -44,6 +44,7 @@
>>> #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
>>> #define MAX_SERVER_SIZE 15
>>> #define MAX_SHARE_SIZE 80
>>> +#define MAX_DOMAINNAME_SIZE 256 /* maximum fully qualified domain name (FQDN) */
>>> #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */
>>> #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */
>>>
>>> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
>>> index fa68813..3f9dcf7 100644
>>> --- a/fs/cifs/connect.c
>>> +++ b/fs/cifs/connect.c
>>> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>>> if (string == NULL)
>>> goto out_nomem;
>>>
>>> - if (strnlen(string, 256) == 256) {
>>> + if (strnlen(string, MAX_DOMAINNAME_SIZE)
>>> + == MAX_DOMAINNAME_SIZE) {
>>> printk(KERN_WARNING "CIFS: domain name too"
>>> " long\n");
>>> goto cifs_parse_mount_err;
>>> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
>>>
>>> #ifdef CONFIG_KEYS
>>>
>>> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
>>> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
>>> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */
>>> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1)
>>>
>>> /* Populate username and pw fields from keyring if possible */
>>> static int
>>> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>> index 79358e3..57b1537 100644
>>> --- a/fs/cifs/sess.c
>>> +++ b/fs/cifs/sess.c
>>> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
>>> bytes_ret = 0;
>>> } else
>>> bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
>>> - 256, nls_cp);
>>> + MAX_DOMAINNAME_SIZE, nls_cp);
>>> bcc_ptr += 2 * bytes_ret;
>>> bcc_ptr += 2; /* account for null terminator */
>>>
>>> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
>>>
>>> /* copy domain */
>>> if (ses->domainName != NULL) {
>>> - strncpy(bcc_ptr, ses->domainName, 256);
>>> - bcc_ptr += strnlen(ses->domainName, 256);
>>> + strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE);
>>> + bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE);
>>> } /* else we will send a null domain name
>>> so the server will default to its own domain */
>>> *bcc_ptr = 0;
>>
>> Looks good...
>>
>> Reviewed-by: Jeff Layton <jlayton at redhat.com>
>
>
>
> --
> Thanks,
>
> Steve
--
Thanks,
Steve
More information about the samba-technical
mailing list