commit f083def68f84b04fe3f97312498911afce79609e · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

cifs: fix buffer size for tcon->nativeFileSystem field

The buffer for this was resized recently to fix a bug. It's still
possible however that a malicious server could overflow this field
by sending characters in it that are >2 bytes in the local charset.
Double the size of the buffer to account for this possibility.

Also get rid of some really strange and seemingly pointless NULL
termination. It's NULL terminating the string in the source buffer,
but by the time that happens, we've already copied the string.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>

authored by Jeff Layton and committed by Steve French 17 years ago f083def6 27b87fe5

+2 -5

1 changed file

expand all

unified split

cifs

connect.c

+2 -5

fs/cifs/connect.c

··· 3756 3756 BCC(smb_buffer_response)) { 3757 3757 kfree(tcon->nativeFileSystem); 3758 3758 tcon->nativeFileSystem = 3759 - kzalloc(2*(length + 1), GFP_KERNEL); 3759 + kzalloc((4 * length) + 2, GFP_KERNEL); 3760 3760 if (tcon->nativeFileSystem) 3761 3761 cifs_strfromUCS_le( 3762 3762 tcon->nativeFileSystem, 3763 3763 (__le16 *) bcc_ptr, 3764 3764 length, nls_codepage); 3765 - bcc_ptr += 2 * length; 3766 - bcc_ptr[0] = 0; /* null terminate the string */ 3767 - bcc_ptr[1] = 0; 3768 - bcc_ptr += 2; 3765 + bcc_ptr += (2 * length) + 2; 3769 3766 } 3770 3767 /* else do not bother copying these information fields*/ 3771 3768 } else {