Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
cifs: fix buffer overrun in parse_DFS_referrals
While testing a kernel with memory poisoning enabled, I saw some warnings
about the redzone getting clobbered when chasing DFS referrals. The
buffer allocation for the unicode converted version of the searchName is
too small and needs to take null termination into account.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
authored by Jeff Layton and committed by Linus Torvalds 331c3135 a52519f2
+2
-1
fs/cifs/cifssmb.c
+2
-1
fs/cifs/cifssmb.c
···
3983
3983
3984
3984
node->flags = le16_to_cpu(pSMBr->DFSFlags);
3985
3985
if (is_unicode) {
3986
-
__le16 *tmp = kmalloc(strlen(searchName)*2, GFP_KERNEL);
3986
+
__le16 *tmp = kmalloc(strlen(searchName)*2 + 2,
3987
+
GFP_KERNEL);
3987
3988
cifsConvertToUCS((__le16 *) tmp, searchName,
3988
3989
PATH_MAX, nls_codepage, remap);
3989
3990
node->path_consumed = hostlen_fromUCS(tmp,