From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Steve French <smfrench@gmail.com>,
Jeff Layton <jlayton@redhat.com>,
Suresh Jayaraman <sjayaraman@suse.de>,
Steve French <sfrench@us.ibm.com>
Subject: [patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host
Date: Thu, 14 May 2009 15:51:43 -0700 [thread overview]
Message-ID: <20090514225239.140371593@mini.kroah.org> (raw)
In-Reply-To: <20090514225413.GA705@kroah.com>
[-- Attachment #1: cifs-fix-incorrect-destination-buffer-size-in-cifs_strncpy_to_host.patch --]
[-- Type: text/plain, Size: 2236 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Suresh Jayaraman <sjayaraman@suse.de>
Relevant commits 968460ebd8006d55661dec0fb86712b40d71c413 and
066ce6899484d9026acd6ba3a8dbbedb33d7ae1b. Minimal hunks to fix buffer
size and fix an existing problem pointed out by Guenter Kukuk that length
of src is used for NULL termination of dst.
cifs: Rename cifs_strncpy_to_host and fix buffer size
There is a possibility for the path_name and node_name buffers to
overflow if they contain charcters that are >2 bytes in the local
charset. Resize the buffer allocation so to avoid this possibility.
Also, as pointed out by Jeff Layton, it would be appropriate to
rename the function to cifs_strlcpy_to_host to reflect the fact
that the copied string is always NULL terminated.
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/cifs/cifssmb.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -91,23 +91,22 @@ static int
cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
const bool is_unicode, const struct nls_table *nls_codepage)
{
- int plen;
+ int src_len, dst_len;
if (is_unicode) {
- plen = UniStrnlen((wchar_t *)src, maxlen);
- *dst = kmalloc(plen + 2, GFP_KERNEL);
+ src_len = UniStrnlen((wchar_t *)src, maxlen);
+ *dst = kmalloc((4 * src_len) + 2, GFP_KERNEL);
if (!*dst)
goto cifs_strncpy_to_host_ErrExit;
- cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
+ dst_len = cifs_strfromUCS_le(*dst, (__le16 *)src, src_len, nls_codepage);
+ (*dst)[dst_len + 1] = 0;
} else {
- plen = strnlen(src, maxlen);
- *dst = kmalloc(plen + 2, GFP_KERNEL);
+ src_len = strnlen(src, maxlen);
+ *dst = kmalloc(src_len + 1, GFP_KERNEL);
if (!*dst)
goto cifs_strncpy_to_host_ErrExit;
- strncpy(*dst, src, plen);
+ strlcpy(*dst, src, src_len + 1);
}
- (*dst)[plen] = 0;
- (*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
return 0;
cifs_strncpy_to_host_ErrExit:
next prev parent reply other threads:[~2009-05-14 23:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090514225126.907908936@mini.kroah.org>
2009-05-14 22:54 ` [patch 00/28] 2.6.27.24-stable review Greg KH
2009-05-14 22:51 ` [patch 01/28] md: fix loading of out-of-date bitmap Greg KH
2009-05-14 22:51 ` [patch 02/28] md: fix some (more) errors with bitmaps on devices larger than 2TB Greg KH
2009-05-14 22:51 ` [patch 03/28] md/raid10: dont clear bitmap during recovery if array will still be degraded Greg KH
2009-05-14 22:51 ` [patch 04/28] md: remove ability to explicit set an inactive array to clean Greg KH
2009-05-14 22:51 ` [patch 05/28] USB: Gadget: fix UTF conversion in the usbstring library Greg KH
2009-05-14 22:51 ` [patch 06/28] dup2: Fix return value with oldfd == newfd and invalid fd Greg KH
2009-05-14 22:51 ` [patch 07/28] i2c-algo-bit: Fix timeout test Greg KH
2009-05-14 22:51 ` [patch 08/28] i2c-algo-pca: Let PCA9564 recover from unacked data byte (state 0x30) Greg KH
2009-05-14 22:51 ` [patch 09/28] mm: page_mkwrite change prototype to match fault Greg KH
2009-05-14 22:51 ` [patch 10/28] fs: fix page_mkwrite error cases in core code and btrfs Greg KH
2009-05-14 22:51 ` [patch 11/28] mm: close page_mkwrite races Greg KH
2009-05-14 22:51 ` [patch 12/28] GFS2: Fix page_mkwrite() return code Greg KH
2009-05-14 22:51 ` [patch 13/28] NFS: Fix the return value in nfs_page_mkwrite() Greg KH
2009-05-14 22:51 ` [patch 14/28] NFS: Close page_mkwrite() races Greg KH
2009-05-14 22:51 ` [patch 15/28] cifs: Fix buffer size for tcon->nativeFileSystem field Greg KH
2009-05-14 22:51 ` [patch 16/28] cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows Greg KH
2009-05-14 22:51 ` Greg KH [this message]
2009-05-14 22:51 ` [patch 18/28] cifs: Fix buffer size in cifs_convertUCSpath Greg KH
2009-05-14 22:51 ` [patch 19/28] cifs: Fix unicode string area word alignment in session setup Greg KH
2009-05-14 22:51 ` [patch 20/28] epoll: fix size check in epoll_create() Greg KH
2009-05-14 22:51 ` [patch 21/28] nfsd4: check for negative dentry before use in nfsv4 readdir Greg KH
2009-05-14 22:51 ` [patch 22/28] NFS: Fix the notifications when renaming onto an existing file Greg KH
2009-05-14 22:51 ` [patch 23/28] ehea: fix invalid pointer access Greg KH
2009-05-14 22:51 ` [patch 24/28] powerpc/5200: Dont specify IRQF_SHARED in PSC UART driver Greg KH
2009-05-14 22:51 ` [patch 25/28] splice: split up __splice_from_pipe() Greg KH
2009-05-14 22:51 ` [patch 26/28] splice: remove i_mutex locking in splice_from_pipe() Greg KH
2009-05-14 22:51 ` [patch 27/28] splice: fix i_mutex locking in generic_splice_write() Greg KH
2009-05-14 22:51 ` [patch 28/28] ocfs2: fix i_mutex locking in ocfs2_splice_to_file() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090514225239.140371593@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jlayton@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=sfrench@us.ibm.com \
--cc=sjayaraman@suse.de \
--cc=smfrench@gmail.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox