From: Suresh Jayaraman <sjayaraman-l3A5Bk7waGM@public.gmane.org>
To: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
Subject: Re: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
Date: Tue, 23 Aug 2011 17:55:25 +0530 [thread overview]
Message-ID: <4E539C35.70004@suse.de> (raw)
In-Reply-To: <1314098488-1547-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On 08/23/2011 04:51 PM, Jeff Layton wrote:
> The name_len variable in CIFSFindNext is a signed int that gets set to
> the resume_name_len in the cifs_search_info. The resume_name_len however
> is unsigned and for some infolevels is populated directly from a 32 bit
> value sent by the server.
>
> If the server sends a very large value for this, then that value could
> look negative when converted to a signed int. That would make that
> value pass the PATH_MAX check later in CIFSFindNext. The name_len would
> then be used as a length value for a memcpy. It would then be treated
> as unsigned again, and the memcpy scribbles over a ton of memory.
>
> Fix this by making the name_len an unsigned value in CIFSFindNext.
>
> Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
> Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
> Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
> fs/cifs/cifssmb.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
> index f4d0988..950464d 100644
> --- a/fs/cifs/cifssmb.c
> +++ b/fs/cifs/cifssmb.c
> @@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
> T2_FNEXT_RSP_PARMS *parms;
> char *response_data;
> int rc = 0;
> - int bytes_returned, name_len;
> + int bytes_returned;
> + unsigned int name_len;
Looks obviously correct. Just curious when does the server sends a very
large resume_name_len? Does it try to overload with some other info in
such circumstances?
--
Suresh Jayaraman
next prev parent reply other threads:[~2011-08-23 12:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-23 11:21 [PATCH] cifs: fix possible memory corruption in CIFSFindNext Jeff Layton
[not found] ` <1314098488-1547-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-08-23 11:46 ` Steve French
2011-08-23 12:25 ` Suresh Jayaraman [this message]
[not found] ` <4E539C35.70004-l3A5Bk7waGM@public.gmane.org>
2011-08-23 12:37 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E539C35.70004@suse.de \
--to=sjayaraman-l3a5bk7wagm@public.gmane.org \
--cc=dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.