CIFS: Fix memory over bound bug in cifs_parse_mount_options

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index db9d55b507d0..4bc862a80efa 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -807,8 +807,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
                          struct smb_vol *vol)
 {
-        char *value;
-        char *data;
+        char *value, *data, *end;
         unsigned int  temp_len, i, j;
         char separator[2];
         short int override_uid = -1;
@@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname,
         if (!options)
                 return 1;
 
+        end = options + strlen(options);
         if (strncmp(options, "sep=", 4) == 0) {
                 if (options[4] != 0) {
                         separator[0] = options[4];
@@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname,
                         the only illegal character in a password is null */
 
                         if ((value[temp_len] == 0) &&
+                            (value + temp_len < end) &&
                             (value[temp_len+1] == separator[0])) {
                                 /* reinsert comma */
                                 value[temp_len] = separator[0];