Re: [PATCH] CIFS: Fix IP address bounds checking on mount utility.

Scott Lovenberg <scott.lovenberg@xxxxxxxxx> · Sat, 24 Nov 2012 12:33:45 -0500

On Sat, Nov 24, 2012 at 9:23 AM, Jeff Layton <jlayton@xxxxxxxxx> wrote:
> On Thu, 22 Nov 2012 12:31:50 -0500
> Scott Lovenberg <scott.lovenberg@xxxxxxxxx> wrote:
>
>> On Wed, Nov 21, 2012 at 4:52 PM, Jeff Layton <jlayton@xxxxxxxxx> wrote:
>> >
>> > On Nov 21, 2012 3:16 PM, "Scott Lovenberg" <scott.lovenberg@xxxxxxxxx>
>> > wrote:
>> >>
>> >> On Wed, Nov 21, 2012 at 3:10 PM, <scott.lovenberg@xxxxxxxxx> wrote:
>> >> >
>> >> > From: Scott Lovenberg <scott.lovenberg@xxxxxxxxx>
>> >> >
>> >> > Signed-off-by: Scott Lovenberg <scott.lovenberg@xxxxxxxxx>
>> >> > ---
>> >> >  mount.cifs.c |    4 ++--
>> >> >  1 files changed, 2 insertions(+), 2 deletions(-)
>> >> >
>> >> > diff --git a/mount.cifs.c b/mount.cifs.c
>> >> > index a9632b4..f63c309 100644
>> >> > --- a/mount.cifs.c
>> >> > +++ b/mount.cifs.c
>> >> > @@ -941,8 +941,8 @@ parse_options(const char *data, struct
>> >> > parsed_mount_info *parsed_info)
>> >> >                         if (!value || !*value) {
>> >> >                                 fprintf(stderr,
>> >> >                                         "target ip address argument
>> >> > missing\n");
>> >> > -                       } else if (strnlen(value, MAX_ADDRESS_LEN) <=
>> >> > -                               MAX_ADDRESS_LEN) {
>> >> > +                       } else if (strnlen(value, MAX_ADDR_LIST_LEN + 1)
>> >> > <=
>> >> > +                               MAX_ADDR_LIST_LEN) {
>> >> >                                 strcpy(parsed_info->addrlist, value);
>> >> >                                 if (parsed_info->verboseflag)
>> >> >                                         fprintf(stderr,
>> >> > --
>> >> > 1.7.5.4
>> >> >
>> >>
>> >> I still suck at git send-email.  The body of that should have read:
>> >> "In the mount utility use MAX_ADDR_LIST_LEN for bounds checking on ip
>> >> addresses instead of MAX_ADDRESS_LEN.  Parsed_mount_info->addrlist is
>> >> MAX_ADDR_LIST_LEN chars long."
>> >>
>> >> --
>> >> Peace and Blessings,
>> >> -Scott.
>> >> --
>> >> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
>> >> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >
>> > Erm...except that ip= can only specify a single address. MAX_ADDRESS_LEN is
>> > the length of a single address whereas MAX_ADDR_LIST_LEN is 16 times that
>> > value. I'm not clear on what the perceived bug is here...
>> >
>>
>> Hrm... I'm a bit confused as to why the parsed_mount_info has
>> addrlist[MAX_ADDR_LIST_LEN] if it's only going to hold a single IP.
>> Happy Thanksgiving, Jeff.
>>
>
> When you resolve a hostname, we get back a list of address records.
> Those are parsed and the addresses end up in the addrlist.
>
> When you provide an 'ip=' address option manually however, you can only
> provide a single address. That still goes into the addrlist, but then
> you're just in the trivial case of trying an address list that contains
> a single address.
>
> --
> Jeff Layton <jlayton@xxxxxxxxx>

OK, that makes sense.

-- 
Peace and Blessings,
-Scott.
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html