diff options
author | Steve French <sfrench@us.ibm.com> | 2010-02-06 02:08:53 -0500 |
---|---|---|
committer | Steve French <sfrench@us.ibm.com> | 2010-02-06 02:08:53 -0500 |
commit | 301a6a317797ca362951ea21da397c05236f0070 (patch) | |
tree | 14742eb9a7fe51b854a1a6bd6f3efa89c53aa51e /fs | |
parent | f12f98dba6ea1517cd7fbb912208893b9c014c15 (diff) |
[CIFS] Maximum username length check in session setup does not match
Fix length check reported by D. Binderman (see below)
d binderman <dcb314@hotmail.com> wrote:
>
> I just ran the sourceforge tool cppcheck over the source code of the
> new Linux kernel 2.6.33-rc6
>
> It said
>
> [./cifs/sess.c:250]: (error) Buffer access out-of-bounds
May turn out to be harmless, but best to be safe. Note max
username length is defined to 32 due to Linux (Windows
maximum is 20).
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/cifs/sess.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 7085a6275c4c..aaa9c1c5a5bd 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
@@ -223,9 +223,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, | |||
223 | /* null user mount */ | 223 | /* null user mount */ |
224 | *bcc_ptr = 0; | 224 | *bcc_ptr = 0; |
225 | *(bcc_ptr+1) = 0; | 225 | *(bcc_ptr+1) = 0; |
226 | } else { /* 300 should be long enough for any conceivable user name */ | 226 | } else { |
227 | bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName, | 227 | bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName, |
228 | 300, nls_cp); | 228 | MAX_USERNAME_SIZE, nls_cp); |
229 | } | 229 | } |
230 | bcc_ptr += 2 * bytes_ret; | 230 | bcc_ptr += 2 * bytes_ret; |
231 | bcc_ptr += 2; /* account for null termination */ | 231 | bcc_ptr += 2; /* account for null termination */ |
@@ -246,11 +246,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, | |||
246 | /* copy user */ | 246 | /* copy user */ |
247 | if (ses->userName == NULL) { | 247 | if (ses->userName == NULL) { |
248 | /* BB what about null user mounts - check that we do this BB */ | 248 | /* BB what about null user mounts - check that we do this BB */ |
249 | } else { /* 300 should be long enough for any conceivable user name */ | 249 | } else { |
250 | strncpy(bcc_ptr, ses->userName, 300); | 250 | strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE); |
251 | } | 251 | } |
252 | /* BB improve check for overflow */ | 252 | bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE); |
253 | bcc_ptr += strnlen(ses->userName, 300); | ||
254 | *bcc_ptr = 0; | 253 | *bcc_ptr = 0; |
255 | bcc_ptr++; /* account for null termination */ | 254 | bcc_ptr++; /* account for null termination */ |
256 | 255 | ||