From: Jeff Layton Date: Fri, 24 May 2013 11:40:04 +0000 (-0400) Subject: cifs: fix potential buffer overrun when composing a new options string X-Git-Tag: next-20130527~81^2~9 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=20ac9e1ef55ef311534db06a01d555a8d29eba0b;p=karo-tx-linux.git cifs: fix potential buffer overrun when composing a new options string Consider the case where we have a very short ip= string in the original mount options, and when we chase a referral we end up with a very long IPv6 address. Be sure to allow for that possibility when estimating the size of the string to allocate. Cc: Signed-off-by: Jeff Layton Signed-off-by: Steve French --- diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c index 8e33ec65847b..8e5a1817496d 100644 --- a/fs/cifs/cifs_dfs_ref.c +++ b/fs/cifs/cifs_dfs_ref.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "cifsglob.h" #include "cifsproto.h" #include "cifsfs.h" @@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata, * assuming that we have 'unc=' and 'ip=' in * the original sb_mountdata */ - md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12; + md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 + + INET6_ADDRSTRLEN; mountdata = kzalloc(md_len+1, GFP_KERNEL); if (mountdata == NULL) { rc = -ENOMEM;