]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
CIFS: Fix memory over bound bug in cifs_parse_mount_options
authorPavel Shilovsky <piastry@etersoft.ru>
Thu, 14 Apr 2011 18:00:56 +0000 (22:00 +0400)
committerGreg Kroah-Hartman <gregkh@suse.de>
Sat, 21 May 2011 22:13:10 +0000 (15:13 -0700)
commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
fs/cifs/connect.c

index 0fd3855a161ab41847448f3a7cb5e9d0bc5404ad..bd7e61fbd27e3a4923b676bd8a5cb5ad8213c89f 100644 (file)
@@ -822,8 +822,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
                         struct smb_vol *vol)
 {
-       char *value;
-       char *data;
+       char *value, *data, *end;
        unsigned int  temp_len, i, j;
        char separator[2];
        short int override_uid = -1;
@@ -866,6 +865,7 @@ cifs_parse_mount_options(char *options, const char *devname,
        if (!options)
                return 1;
 
+       end = options + strlen(options);
        if (strncmp(options, "sep=", 4) == 0) {
                if (options[4] != 0) {
                        separator[0] = options[4];
@@ -930,6 +930,7 @@ cifs_parse_mount_options(char *options, const char *devname,
                        the only illegal character in a password is null */
 
                        if ((value[temp_len] == 0) &&
+                           (value + temp_len < end) &&
                            (value[temp_len+1] == separator[0])) {
                                /* reinsert comma */
                                value[temp_len] = separator[0];