From: David Disseldorp <ddiss@suse.de>
To: Steve French <smfrench@gmail.com>
Cc: linux-cifs@vger.kernel.org, Bruno Bierbaumer <bruno@bierbaumer.net>
Subject: Re: [PATCH] mount.cifs: fix buffer overrun in set_password
Date: Wed, 1 Apr 2026 11:58:24 +1100 [thread overview]
Message-ID: <20260401115824.447004b8.ddiss@suse.de> (raw)
In-Reply-To: <CAH2r5mu56K0Ew8XHaVEsGK9KgxHv34WN5EkXTKUvFtxydFp9zQ@mail.gmail.com>
On Tue, 31 Mar 2026 18:56:05 -0500, Steve French wrote:
> added RB from Henrique and updated
> git.samba.org/data/git/cifs-utils.git and
> https://github.com/smfrench/smb3-utils for-next
Thanks Steve. FWIW, the reviewed-by tag has an incorrect email address:
Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com>
Should be
Reviewed-by: Henrique Carvalho <henrique.carvalho@suse.com>
I'll close the corresponding PR at
https://github.com/smfrench/smb3-utils/pull/16
Cheers, David
> On Mon, Mar 30, 2026 at 7:10 PM David Disseldorp <ddiss@suse.de> wrote:
> >
> > The existing (j > pass_length) check is insufficient to avoid dst buffer
> > overrun into the start of the adjacent struct parsed_mount_info field.
> > Check for overrun before writing to dst, and account for comma-expansion
> > and null-termination.
> >
> > Bug: https://bugzilla.samba.org/show_bug.cgi?id=16044
> >
> > Reported-by: Bruno Bierbaumer <bruno@bierbaumer.net>
> > Signed-off-by: David Disseldorp <ddiss@suse.de>
> > ---
> > mount.cifs.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/mount.cifs.c b/mount.cifs.c
> > index 1923913..d41ca6a 100644
> > --- a/mount.cifs.c
> > +++ b/mount.cifs.c
> > @@ -350,13 +350,13 @@ set_password(struct parsed_mount_info *parsed_info, const char *src,
> > unsigned int i = 0, j = 0;
> >
> > while (src[i]) {
> > - if (src[i] == ',')
> > - dst[j++] = ',';
> > - dst[j++] = src[i++];
> > - if (j > pass_length) {
> > + if (j + 2 >= pass_length) {
> > fprintf(stderr, "Converted password too long!\n");
> > return EX_USAGE;
> > }
> > + if (src[i] == ',')
> > + dst[j++] = ',';
> > + dst[j++] = src[i++];
> > }
> > dst[j] = '\0';
> > if (is_pass2)
> > --
> > 2.51.0
> >
>
>
next prev parent reply other threads:[~2026-04-01 0:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 0:09 [PATCH] mount.cifs: fix buffer overrun in set_password David Disseldorp
2026-03-31 17:44 ` Henrique Carvalho
2026-03-31 23:56 ` Steve French
2026-04-01 0:58 ` David Disseldorp [this message]
2026-04-01 2:03 ` Steve French
2026-04-01 13:40 ` Enzo Matsumiya
2026-04-01 15:24 ` Henrique Carvalho
2026-04-02 1:23 ` David Disseldorp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401115824.447004b8.ddiss@suse.de \
--to=ddiss@suse.de \
--cc=bruno@bierbaumer.net \
--cc=linux-cifs@vger.kernel.org \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox