diff options
| author | Chen Gang <gang.chen@asianux.com> | 2013-07-18 21:01:36 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-08-15 01:59:09 -0400 |
| commit | 4350018a57c333907db092beeb9fa65a82a258ed (patch) | |
| tree | 3a6671fea1d80ced3c3e20072a77c364a7ce29cf /fs/cifs | |
| parent | 72766b0bec55b104c414a22f2e8ecdbb6bb1e19e (diff) | |
cifs: extend the buffer length enought for sprintf() using
commit 057d6332b24a4497c55a761c83c823eed9e3f23b upstream.
For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
length may be "255 + '\0'".
The related sprintf() may cause memory overflow, so need extend related
buffer enough to hold all things.
It is also necessary to be sure of 'ses->domainName' must be less than
256, and define the related macro instead of hard code number '256'.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/cifs')
| -rw-r--r-- | fs/cifs/cifsencrypt.c | 2 | ||||
| -rw-r--r-- | fs/cifs/cifsglob.h | 1 | ||||
| -rw-r--r-- | fs/cifs/connect.c | 7 | ||||
| -rw-r--r-- | fs/cifs/sess.c | 6 |
4 files changed, 9 insertions, 7 deletions
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c index f59d0d58258e..5c807b23ca67 100644 --- a/fs/cifs/cifsencrypt.c +++ b/fs/cifs/cifsencrypt.c | |||
| @@ -389,7 +389,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp) | |||
| 389 | if (blobptr + attrsize > blobend) | 389 | if (blobptr + attrsize > blobend) |
| 390 | break; | 390 | break; |
| 391 | if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { | 391 | if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { |
| 392 | if (!attrsize) | 392 | if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN) |
| 393 | break; | 393 | break; |
| 394 | if (!ses->domainName) { | 394 | if (!ses->domainName) { |
| 395 | ses->domainName = | 395 | ses->domainName = |
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 4f07f6fbe494..ea3a0b3018a5 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h | |||
| @@ -44,6 +44,7 @@ | |||
| 44 | #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) | 44 | #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) |
| 45 | #define MAX_SERVER_SIZE 15 | 45 | #define MAX_SERVER_SIZE 15 |
| 46 | #define MAX_SHARE_SIZE 80 | 46 | #define MAX_SHARE_SIZE 80 |
| 47 | #define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */ | ||
| 47 | #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ | 48 | #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ |
| 48 | #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ | 49 | #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ |
| 49 | 50 | ||
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index e3bc39bb9d12..d6a5c5ac737b 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c | |||
| @@ -1662,7 +1662,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, | |||
| 1662 | if (string == NULL) | 1662 | if (string == NULL) |
| 1663 | goto out_nomem; | 1663 | goto out_nomem; |
| 1664 | 1664 | ||
| 1665 | if (strnlen(string, 256) == 256) { | 1665 | if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN) |
| 1666 | == CIFS_MAX_DOMAINNAME_LEN) { | ||
| 1666 | printk(KERN_WARNING "CIFS: domain name too" | 1667 | printk(KERN_WARNING "CIFS: domain name too" |
| 1667 | " long\n"); | 1668 | " long\n"); |
| 1668 | goto cifs_parse_mount_err; | 1669 | goto cifs_parse_mount_err; |
| @@ -2288,8 +2289,8 @@ cifs_put_smb_ses(struct cifs_ses *ses) | |||
| 2288 | 2289 | ||
| 2289 | #ifdef CONFIG_KEYS | 2290 | #ifdef CONFIG_KEYS |
| 2290 | 2291 | ||
| 2291 | /* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */ | 2292 | /* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */ |
| 2292 | #define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1) | 2293 | #define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1) |
| 2293 | 2294 | ||
| 2294 | /* Populate username and pw fields from keyring if possible */ | 2295 | /* Populate username and pw fields from keyring if possible */ |
| 2295 | static int | 2296 | static int |
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index f230571a7ab3..8edc9eb1ef7b 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
| @@ -198,7 +198,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, | |||
| 198 | bytes_ret = 0; | 198 | bytes_ret = 0; |
| 199 | } else | 199 | } else |
| 200 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, | 200 | bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, |
| 201 | 256, nls_cp); | 201 | CIFS_MAX_DOMAINNAME_LEN, nls_cp); |
| 202 | bcc_ptr += 2 * bytes_ret; | 202 | bcc_ptr += 2 * bytes_ret; |
| 203 | bcc_ptr += 2; /* account for null terminator */ | 203 | bcc_ptr += 2; /* account for null terminator */ |
| 204 | 204 | ||
| @@ -256,8 +256,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, | |||
| 256 | 256 | ||
| 257 | /* copy domain */ | 257 | /* copy domain */ |
| 258 | if (ses->domainName != NULL) { | 258 | if (ses->domainName != NULL) { |
| 259 | strncpy(bcc_ptr, ses->domainName, 256); | 259 | strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); |
| 260 | bcc_ptr += strnlen(ses->domainName, 256); | 260 | bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); |
| 261 | } /* else we will send a null domain name | 261 | } /* else we will send a null domain name |
| 262 | so the server will default to its own domain */ | 262 | so the server will default to its own domain */ |
| 263 | *bcc_ptr = 0; | 263 | *bcc_ptr = 0; |