The max number of subauthorities on windows and in winbind is generally 15, not 5. If winbind sends more than 5, then this code may end up overrunning the buffer. Also, define some preprocessor constants and use those instead of hardcoding '5' and '6' all over the place. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> --- cifsacl.h | 7 +++++-- setcifsacl.c | 12 ++++++------ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/cifsacl.h b/cifsacl.h index 101881b..f9fdc8f 100644 --- a/cifsacl.h +++ b/cifsacl.h @@ -96,6 +96,9 @@ #define COMPMASK 0x8 #define COMPALL 0xf /* COMPSID | COMPTYPE | COMPFLAG | COMPMASK */ +#define NUM_AUTHS (6) /* number of authority fields */ +#define SID_MAX_SUB_AUTHORITIES (15) /* max number of sub authority fields */ + enum ace_action { acedelete = 0, acemodify, @@ -115,8 +118,8 @@ struct cifs_ntsd { struct cifs_sid { uint8_t revision; /* revision level */ uint8_t num_subauth; - uint8_t authority[6]; - uint32_t sub_auth[5]; /* sub_auth[num_subauth] */ + uint8_t authority[NUM_AUTHS]; + uint32_t sub_auth[SID_MAX_SUB_AUTHORITIES]; } __attribute__((packed)); struct cifs_ctrl_acl { diff --git a/setcifsacl.c b/setcifsacl.c index 29b7b93..23ab5b1 100644 --- a/setcifsacl.c +++ b/setcifsacl.c @@ -76,9 +76,9 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, nowner_sid_ptr->revision = owner_sid_ptr->revision; nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth; - for (i = 0; i < 6; i++) + for (i = 0; i < NUM_AUTHS; i++) nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i]; - for (i = 0; i < 5; i++) + for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i]; /* copy group sid */ @@ -87,9 +87,9 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, ngroup_sid_ptr->revision = group_sid_ptr->revision; ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth; - for (i = 0; i < 6; i++) + for (i = 0; i < NUM_AUTHS; i++) ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i]; - for (i = 0; i < 5; i++) + for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i]; return; @@ -106,7 +106,7 @@ copy_ace(struct cifs_ace *dace, struct cifs_ace *sace) dace->sid.revision = sace->sid.revision; dace->sid.num_subauth = sace->sid.num_subauth; - for (i = 0; i < 6; i++) + for (i = 0; i < NUM_AUTHS; i++) dace->sid.authority[i] = sace->sid.authority[i]; for (i = 0; i < sace->sid.num_subauth; i++) dace->sid.sub_auth[i] = sace->sid.sub_auth[i]; @@ -126,7 +126,7 @@ compare_aces(struct cifs_ace *sace, struct cifs_ace *dace, int compflags) return 0; if (dace->sid.num_subauth != sace->sid.num_subauth) return 0; - for (i = 0; i < 6; i++) { + for (i = 0; i < NUM_AUTHS; i++) { if (dace->sid.authority[i] != sace->sid.authority[i]) return 0; } -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html