getcifsacl must convert the access_req field from little endian. Also,
we should ensure that the "size" field in the ACE is reachable before
trying to access it.
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
---
getcifsacl.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/getcifsacl.c b/getcifsacl.c
index b832c50..c576fc0 100644
--- a/getcifsacl.c
+++ b/getcifsacl.c
@@ -31,6 +31,7 @@
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
+#include <stddef.h>
#include <errno.h>
#include <limits.h>
#include <wbclient.h>
@@ -235,7 +236,15 @@ print_sid_raw:
static void
print_ace(struct cifs_ace *pace, char *end_of_acl, int raw)
{
- /* 16 == size of cifs_ace sans the cifs_sid */
+ uint16_t size;
+
+ /* make sure we can safely get to "size" */
+ if (end_of_acl < (char *)pace + offsetof(struct cifs_ace, size) + 1)
+ return;
+
+ size = le16toh(pace->size);
+
+ /* 16 == size of cifs_ace when cifs_sid has no subauths */
if (le16toh(pace->size) < 16)
return;
@@ -250,8 +259,7 @@ print_ace(struct cifs_ace *pace, char *end_of_acl, int raw)
printf("/");
print_ace_flags(pace->flags, raw);
printf("/");
- print_ace_mask(pace->access_req, raw);
-
+ print_ace_mask(le32toh(pace->access_req), raw);
return;
}
--
1.7.12.1
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
