[PATCH] cifs: fix potential overflow in cifs_compose_mount

linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] cifs: fix potential overflow in cifs_compose_mount_options
@ 2016-02-01 16:34 Insu Yun
  2016-02-11  0:08 ` Steve French
       [not found] ` <1454344498-16835-1-git-send-email-wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  0 siblings, 2 replies; 3+ messages in thread
From: Insu Yun @ 2016-02-01 16:34 UTC (permalink / raw)
  To: sfrench-eUNUBHrolfbYtjvyW6yDsg, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: taesoo-/4noJB3qBVQ3uPMLIKxrzw,
	yeongjin.jang-/4noJB3qBVQ3uPMLIKxrzw, insu-/4noJB3qBVQ3uPMLIKxrzw,
	changwoo-/4noJB3qBVQ3uPMLIKxrzw, Insu Yun

In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
Therefore, for safe, it is better to add more size when allocating memory.

Signed-off-by: Insu Yun <wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 fs/cifs/cifs_dfs_ref.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 7dc886c..e956cba 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
 	 * string to the length of the original string to allow for worst case.
 	 */
 	md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
-	mountdata = kzalloc(md_len + 1, GFP_KERNEL);
+	mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
 	if (mountdata == NULL) {
 		rc = -ENOMEM;
 		goto compose_mount_options_err;
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] cifs: fix potential overflow in cifs_compose_mount_options
  2016-02-01 16:34 [PATCH] cifs: fix potential overflow in cifs_compose_mount_options Insu Yun
@ 2016-02-11  0:08 ` Steve French
       [not found] ` <1454344498-16835-1-git-send-email-wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  1 sibling, 0 replies; 3+ messages in thread
From: Steve French @ 2016-02-11  0:08 UTC (permalink / raw)
  To: Insu Yun
  Cc: linux-cifs@vger.kernel.org, taesoo, yeongjin.jang, insu,
	samba-technical, LKML, Steve French, changwoo

On Mon, Feb 1, 2016 at 10:34 AM, Insu Yun <wuninsu@gmail.com> wrote:

> In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
> Therefore, for safe, it is better to add more size when allocating memory.
>
> Signed-off-by: Insu Yun <wuninsu@gmail.com>
> ---
>  fs/cifs/cifs_dfs_ref.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
> index 7dc886c..e956cba 100644
> --- a/fs/cifs/cifs_dfs_ref.c
> +++ b/fs/cifs/cifs_dfs_ref.c
> @@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char
> *sb_mountdata,
>          * string to the length of the original string to allow for worst
> case.
>          */
>         md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
> -       mountdata = kzalloc(md_len + 1, GFP_KERNEL);
> +       mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
>         if (mountdata == NULL) {
>                 rc = -ENOMEM;
>                 goto compose_mount_options_err;


Not likely to be reproducible in practice (since ip= is already in the
sb_mountdata) but in case mount.cifs was missing and ip= was missing from
the original mount string, might as well add it.

Merged into cifs-2.6.git
-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] cifs: fix potential overflow in cifs_compose_mount_options
       [not found] ` <1454344498-16835-1-git-send-email-wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2016-02-11  0:14   ` Steve French
  0 siblings, 0 replies; 3+ messages in thread
From: Steve French @ 2016-02-11  0:14 UTC (permalink / raw)
  To: Insu Yun
  Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	samba-technical, LKML, taesoo-/4noJB3qBVQ3uPMLIKxrzw,
	yeongjin.jang-/4noJB3qBVQ3uPMLIKxrzw, insu-/4noJB3qBVQ3uPMLIKxrzw,
	changwoo-/4noJB3qBVQ3uPMLIKxrzw

On Mon, Feb 1, 2016 at 10:34 AM, Insu Yun <wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
> Therefore, for safe, it is better to add more size when allocating memory.
>
> Signed-off-by: Insu Yun <wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  fs/cifs/cifs_dfs_ref.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
> index 7dc886c..e956cba 100644
> --- a/fs/cifs/cifs_dfs_ref.c
> +++ b/fs/cifs/cifs_dfs_ref.c
> @@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
>          * string to the length of the original string to allow for worst case.
>          */
>         md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
> -       mountdata = kzalloc(md_len + 1, GFP_KERNEL);
> +       mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
>         if (mountdata == NULL) {
>                 rc = -ENOMEM;
>                 goto compose_mount_options_err;

Not likely to be reproducible in practice (since ip= is already in the
sb_mountdata) but in case mount.cifs was missing and ip= was missing from
the original mount string, might as well add it.

Merged into cifs-2.6.git


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-02-11  0:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-01 16:34 [PATCH] cifs: fix potential overflow in cifs_compose_mount_options Insu Yun
2016-02-11  0:08 ` Steve French
     [not found] ` <1454344498-16835-1-git-send-email-wuninsu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-02-11  0:14   ` Steve French

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).