[PATCH] cifs: fix potential overflow in cifs_compose_mount_options
Steve French
smfrench at gmail.com
Thu Feb 11 00:08:16 UTC 2016
On Mon, Feb 1, 2016 at 10:34 AM, Insu Yun <wuninsu at gmail.com> wrote:
> In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
> Therefore, for safe, it is better to add more size when allocating memory.
>
> Signed-off-by: Insu Yun <wuninsu at gmail.com>
> ---
> fs/cifs/cifs_dfs_ref.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
> index 7dc886c..e956cba 100644
> --- a/fs/cifs/cifs_dfs_ref.c
> +++ b/fs/cifs/cifs_dfs_ref.c
> @@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char
> *sb_mountdata,
> * string to the length of the original string to allow for worst
> case.
> */
> md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
> - mountdata = kzalloc(md_len + 1, GFP_KERNEL);
> + mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
> if (mountdata == NULL) {
> rc = -ENOMEM;
> goto compose_mount_options_err;
Not likely to be reproducible in practice (since ip= is already in the
sb_mountdata) but in case mount.cifs was missing and ip= was missing from
the original mount string, might as well add it.
Merged into cifs-2.6.git
--
Thanks,
Steve
More information about the samba-technical
mailing list