diff options
| author | Chen Gang <gang.chen@asianux.com> | 2013-07-18 21:01:36 -0400 |
|---|---|---|
| committer | Steve French <smfrench@gmail.com> | 2013-07-31 00:54:40 -0400 |
| commit | 057d6332b24a4497c55a761c83c823eed9e3f23b (patch) | |
| tree | 15ad5c70288bc61084fd01c2f9b0db208d581c12 /fs/cifs | |
| parent | ecb2cf1a6b63825a258ff4fe0d7f3070fbe4676b (diff) | |
cifs: extend the buffer length enought for sprintf() using
For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
length may be "255 + '\0'".
The related sprintf() may cause memory overflow, so need extend related
buffer enough to hold all things.
It is also necessary to be sure of 'ses->domainName' must be less than
256, and define the related macro instead of hard code number '256'.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Scott Lovenberg <scott.lovenberg@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs')
| -rw-r--r-- | fs/cifs/cifsencrypt.c | 2 | ||||
| -rw-r--r-- | fs/cifs/cifsglob.h | 1 | ||||
| -rw-r--r-- | fs/cifs/connect.c | 7 | ||||
| -rw-r--r-- | fs/cifs/sess.c | 6 |
4 files changed, 9 insertions, 7 deletions
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c index 45e57cc38200..194f9cce5d83 100644 --- a/fs/cifs/cifsencrypt.c +++ b/fs/cifs/cifsencrypt.c | |||
| @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp) | |||
| 421 | if (blobptr + attrsize > blobend) | 421 | if (blobptr + attrsize > blobend) |
| 422 | break; | 422 | break; |
| 423 | if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { | 423 | if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { |
| 424 | if (!attrsize) | 424 | if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN) |
| 425 | break; | 425 | break; |
| 426 | if (!ses->domainName) { | 426 | if (!ses->domainName) { |
| 427 | ses->domainName = | 427 | ses->domainName = |
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 1fdc37041057..0e68893f26f3 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h | |||
| @@ -44,6 +44,7 @@ | |||
| 44 | #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) | 44 | #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) |
| 45 | #define MAX_SERVER_SIZE 15 | 45 | #define MAX_SERVER_SIZE 15 |
| 46 | #define MAX_SHARE_SIZE 80 | 46 | #define MAX_SHARE_SIZE 80 |
| 47 | #define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */ | ||
| 47 | #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ | 48 | #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ |
| 48 | #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ | 49 | #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ |
| 49 | 50 | ||
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index fa68813396b5..d67c550c4980 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c | |||
| @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, | |||
| 1675 | if (string == NULL) | 1675 | if (string == NULL) |
| 1676 | goto out_nomem; | 1676 | goto out_nomem; |
| 1677 | 1677 | ||
| 1678 | if (strnlen(string, 256) == 256) { | 1678 | if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN) |
| 1679 | == CIFS_MAX_DOMAINNAME_LEN) { | ||
| 1679 | printk(KERN_WARNING "CIFS: domain name too" | 1680 | printk(KERN_WARNING "CIFS: domain name too" |
| 1680 | " long\n"); | 1681 | " long\n"); |
| 1681 | goto cifs_parse_mount_err; | 1682 | goto cifs_parse_mount_err; |
| @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses) | |||
| 2276 | 2277 | ||
| 2277 | #ifdef CONFIG_KEYS | 2278 | #ifdef CONFIG_KEYS |
| 2278 | 2279 | ||
| 2279 | /* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */ | 2280 | /* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */ |
| 2280 | #define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1) | 2281 | #define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1) |
| 2281 | 2282 | ||
| 2282 | /* Populate username and pw fields from keyring if possible */ | 2283 | /* Populate username and pw fields from keyring if possible */ |
| 2283 | static int | 2284 | static int |
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 79358e341fd2..08dd37bb23aa 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
| @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, | |||
| 197 | bytes_ret = 0; | 197 | bytes_ret = 0; |
| 198 | } else | 198 | } else |
| 199 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, | 199 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, |
| 200 | 256, nls_cp); | 200 | CIFS_MAX_DOMAINNAME_LEN, nls_cp); |
| 201 | bcc_ptr += 2 * bytes_ret; | 201 | bcc_ptr += 2 * bytes_ret; |
| 202 | bcc_ptr += 2; /* account for null terminator */ | 202 | bcc_ptr += 2; /* account for null terminator */ |
| 203 | 203 | ||
| @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, | |||
| 255 | 255 | ||
| 256 | /* copy domain */ | 256 | /* copy domain */ |
| 257 | if (ses->domainName != NULL) { | 257 | if (ses->domainName != NULL) { |
| 258 | strncpy(bcc_ptr, ses->domainName, 256); | 258 | strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); |
| 259 | bcc_ptr += strnlen(ses->domainName, 256); | 259 | bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); |
| 260 | } /* else we will send a null domain name | 260 | } /* else we will send a null domain name |
| 261 | so the server will default to its own domain */ | 261 | so the server will default to its own domain */ |
| 262 | *bcc_ptr = 0; | 262 | *bcc_ptr = 0; |