From: Jim Meyering <meyering@xxxxxxxxxx>
Each of the protocols[i].name strings (statically declared above)
has length less than 16, so this use of strncpy is misleading:
strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
Besides, if a new name were added with length N >= 16, the existing
strncpy-using code would be buggy, creating a ->DialectsArray buffer
containing N-16+1 unset bytes where the NUL terminator should have
been. Instead, traverse the name only once go get its length,
use a BUG_ON assertion to enforce the length restriction
and use memcpy to perform the copy.
Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx>
---
fs/cifs/cifssmb.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 074923c..16a9018 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -441,8 +441,10 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
count = 0;
for (i = 0; i < CIFS_NUM_PROT; i++) {
- strncpy(pSMB->DialectsArray+count, protocols[i].name, 16);
- count += strlen(protocols[i].name) + 1;
+ size_t len = strlen(protocols[i].name);
+ BUG_ON(len >= 16);
+ memcpy(pSMB->DialectsArray+count, protocols[i].name, len + 1);
+ count += len + 1;
/* null at end of source and target buffers anyway */
}
inc_rfc1001_len(pSMB, count);
--
1.7.12
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
