public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
	Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
	Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Steve French <smfrench@gmail.com>,
	Jeff Layton <jlayton@redhat.com>,
	Steve French <sfrench@us.ibm.com>,
	Suresh Jayaraman <sjayaraman@suse.de>
Subject: [patch 15/28] cifs: Fix buffer size for tcon->nativeFileSystem field
Date: Thu, 14 May 2009 15:51:41 -0700	[thread overview]
Message-ID: <20090514225238.810281932@mini.kroah.org> (raw)
In-Reply-To: <20090514225413.GA705@kroah.com>

[-- Attachment #1: cifs-fix-buffer-size-for-tcon-nativefilesystem-field.patch --]
[-- Type: text/plain, Size: 1654 bytes --]


2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Jeff Layton <jlayton@redhat.com>

Commit f083def68f84b04fe3f97312498911afce79609e refreshed.

cifs: fix buffer size for tcon->nativeFileSystem field

The buffer for this was resized recently to fix a bug. It's still
possible however that a malicious server could overflow this field
by sending characters in it that are >2 bytes in the local charset.
Double the size of the buffer to account for this possibility.

Also get rid of some really strange and seemingly pointless NULL
termination. It's NULL terminating the string in the source buffer,
but by the time that happens, we've already copied the string.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Cc: Suresh Jayaraman <sjayaraman@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/cifs/connect.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3549,16 +3549,12 @@ CIFSTCon(unsigned int xid, struct cifsSe
 			    BCC(smb_buffer_response)) {
 				kfree(tcon->nativeFileSystem);
 				tcon->nativeFileSystem =
-				    kzalloc(2*(length + 1), GFP_KERNEL);
+				    kzalloc((4 * length) + 2, GFP_KERNEL);
 				if (tcon->nativeFileSystem)
 					cifs_strfromUCS_le(
 						tcon->nativeFileSystem,
 						(__le16 *) bcc_ptr,
 						length, nls_codepage);
-				bcc_ptr += 2 * length;
-				bcc_ptr[0] = 0;	/* null terminate the string */
-				bcc_ptr[1] = 0;
-				bcc_ptr += 2;
 			}
 			/* else do not bother copying these information fields*/
 		} else {



  parent reply	other threads:[~2009-05-14 23:07 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20090514225126.907908936@mini.kroah.org>
2009-05-14 22:54 ` [patch 00/28] 2.6.27.24-stable review Greg KH
2009-05-14 22:51   ` [patch 01/28] md: fix loading of out-of-date bitmap Greg KH
2009-05-14 22:51   ` [patch 02/28] md: fix some (more) errors with bitmaps on devices larger than 2TB Greg KH
2009-05-14 22:51   ` [patch 03/28] md/raid10: dont clear bitmap during recovery if array will still be degraded Greg KH
2009-05-14 22:51   ` [patch 04/28] md: remove ability to explicit set an inactive array to clean Greg KH
2009-05-14 22:51   ` [patch 05/28] USB: Gadget: fix UTF conversion in the usbstring library Greg KH
2009-05-14 22:51   ` [patch 06/28] dup2: Fix return value with oldfd == newfd and invalid fd Greg KH
2009-05-14 22:51   ` [patch 07/28] i2c-algo-bit: Fix timeout test Greg KH
2009-05-14 22:51   ` [patch 08/28] i2c-algo-pca: Let PCA9564 recover from unacked data byte (state 0x30) Greg KH
2009-05-14 22:51   ` [patch 09/28] mm: page_mkwrite change prototype to match fault Greg KH
2009-05-14 22:51   ` [patch 10/28] fs: fix page_mkwrite error cases in core code and btrfs Greg KH
2009-05-14 22:51   ` [patch 11/28] mm: close page_mkwrite races Greg KH
2009-05-14 22:51   ` [patch 12/28] GFS2: Fix page_mkwrite() return code Greg KH
2009-05-14 22:51   ` [patch 13/28] NFS: Fix the return value in nfs_page_mkwrite() Greg KH
2009-05-14 22:51   ` [patch 14/28] NFS: Close page_mkwrite() races Greg KH
2009-05-14 22:51   ` Greg KH [this message]
2009-05-14 22:51   ` [patch 16/28] cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows Greg KH
2009-05-14 22:51   ` [patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host Greg KH
2009-05-14 22:51   ` [patch 18/28] cifs: Fix buffer size in cifs_convertUCSpath Greg KH
2009-05-14 22:51   ` [patch 19/28] cifs: Fix unicode string area word alignment in session setup Greg KH
2009-05-14 22:51   ` [patch 20/28] epoll: fix size check in epoll_create() Greg KH
2009-05-14 22:51   ` [patch 21/28] nfsd4: check for negative dentry before use in nfsv4 readdir Greg KH
2009-05-14 22:51   ` [patch 22/28] NFS: Fix the notifications when renaming onto an existing file Greg KH
2009-05-14 22:51   ` [patch 23/28] ehea: fix invalid pointer access Greg KH
2009-05-14 22:51   ` [patch 24/28] powerpc/5200: Dont specify IRQF_SHARED in PSC UART driver Greg KH
2009-05-14 22:51   ` [patch 25/28] splice: split up __splice_from_pipe() Greg KH
2009-05-14 22:51   ` [patch 26/28] splice: remove i_mutex locking in splice_from_pipe() Greg KH
2009-05-14 22:51   ` [patch 27/28] splice: fix i_mutex locking in generic_splice_write() Greg KH
2009-05-14 22:51   ` [patch 28/28] ocfs2: fix i_mutex locking in ocfs2_splice_to_file() Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090514225238.810281932@mini.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=eteo@redhat.com \
    --cc=jake@lwn.net \
    --cc=jlayton@redhat.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=rbranco@la.checkpoint.com \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=sfrench@us.ibm.com \
    --cc=sjayaraman@suse.de \
    --cc=smfrench@gmail.com \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=w@1wt.eu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox