Commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d
Committed by
Steve French
Steve French
1 parent
f0e615c3cb
Exists in
master
and in
4 other branches
CIFS: Fix memory over bound bug in cifs_parse_mount_options
While password processing we can get out of options array bound if the next character after array is delimiter. The patch adds a check if we reach the end. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Showing 1 changed file with 3 additions and 2 deletions Side-by-side Diff
fs/cifs/connect.c
| ... | ... | @@ -807,8 +807,7 @@ |
| 807 | 807 | cifs_parse_mount_options(char *options, const char *devname, |
| 808 | 808 | struct smb_vol *vol) |
| 809 | 809 | { |
| 810 | - char *value; | |
| 811 | - char *data; | |
| 810 | + char *value, *data, *end; | |
| 812 | 811 | unsigned int temp_len, i, j; |
| 813 | 812 | char separator[2]; |
| 814 | 813 | short int override_uid = -1; |
| ... | ... | @@ -851,6 +850,7 @@ |
| 851 | 850 | if (!options) |
| 852 | 851 | return 1; |
| 853 | 852 | |
| 853 | + end = options + strlen(options); | |
| 854 | 854 | if (strncmp(options, "sep=", 4) == 0) { |
| 855 | 855 | if (options[4] != 0) { |
| 856 | 856 | separator[0] = options[4]; |
| ... | ... | @@ -916,6 +916,7 @@ |
| 916 | 916 | the only illegal character in a password is null */ |
| 917 | 917 | |
| 918 | 918 | if ((value[temp_len] == 0) && |
| 919 | + (value + temp_len < end) && | |
| 919 | 920 | (value[temp_len+1] == separator[0])) { |
| 920 | 921 | /* reinsert comma */ |
| 921 | 922 | value[temp_len] = separator[0]; |