From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jeff Layton <jlayton@redhat.com>
Date: Thu, 29 Mar 2012 19:57:57 +0000
Subject: Re: [patch] cifs: writing past end of struct in cifs_convert_address()
Message-Id: <20120329155757.4f44a3ad@corrin.poochiereds.net>
List-Id: <kernel-janitors.vger.kernel.org>
References: <20120301070652.GA6959@elgon.mountain>
In-Reply-To: <20120301070652.GA6959-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
Cc: Steve French <sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>, linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, kernel-janitors-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org

On Thu, 1 Mar 2012 10:06:52 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> "s6->sin6_scope_id" is an int bits but strict_strtoul() writes a long
> so this can corrupt memory on 64 bit systems.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
> index 73e47e8..cab99b5 100644
> --- a/fs/cifs/netmisc.c
> +++ b/fs/cifs/netmisc.c
> @@ -197,8 +197,7 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
>  		memcpy(scope_id, pct + 1, slen);
>  		scope_id[slen] = '\0';
>  
> -		rc = strict_strtoul(scope_id, 0,
> -					(unsigned long *)&s6->sin6_scope_id);
> +		rc = kstrtouint(scope_id, 0, &s6->sin6_scope_id);
>  		rc = (rc = 0) ? 1 : 0;
>  	}
>  


Reviewed-by: Jeff Layton <jlayton@redhat.com>