Re: [PATCH v2] cifs: extend the buffer length enought for sprintf() using

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/19/2013 11:46 PM, Steve French wrote:
> merged into cifs-2.6.git
> 

Thanks.

> On Fri, Jul 19, 2013 at 5:45 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote:
>> > On Fri, 19 Jul 2013 09:01:36 +0800
>> > Chen Gang <gang.chen@xxxxxxxxxxx> wrote:
>> >
>>> >> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
>>> >> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
>>> >> length may be "255 + '\0'".
>>> >>
>>> >> The related sprintf() may cause memory overflow, so need extend related
>>> >> buffer enough to hold all things.
>>> >>
>>> >> It is also necessary to be sure of 'ses->domainName' must be less than
>>> >> 256, and define the related macro instead of hard code number '256'.
>>> >>
>>> >> Signed-off-by: Chen Gang <gang.chen@xxxxxxxxxxx>
>>> >> ---
>>> >>  fs/cifs/cifsencrypt.c |    2 +-
>>> >>  fs/cifs/cifsglob.h    |    1 +
>>> >>  fs/cifs/connect.c     |    7 ++++---
>>> >>  fs/cifs/sess.c        |    6 +++---
>>> >>  4 files changed, 9 insertions(+), 7 deletions(-)
>>> >>
>>> >> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
>>> >> index 45e57cc..bb84d7c 100644
>>> >> --- a/fs/cifs/cifsencrypt.c
>>> >> +++ b/fs/cifs/cifsencrypt.c
>>> >> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
>>> >>               if (blobptr + attrsize > blobend)
>>> >>                       break;
>>> >>               if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
>>> >> -                     if (!attrsize)
>>> >> +                     if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE)
>>> >>                               break;
>>> >>                       if (!ses->domainName) {
>>> >>                               ses->domainName =
>>> >> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>>> >> index 33f17ed..64bb4c5 100644
>>> >> --- a/fs/cifs/cifsglob.h
>>> >> +++ b/fs/cifs/cifsglob.h
>>> >> @@ -44,6 +44,7 @@
>>> >>  #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
>>> >>  #define MAX_SERVER_SIZE 15
>>> >>  #define MAX_SHARE_SIZE 80
>>> >> +#define MAX_DOMAINNAME_SIZE 256      /* maximum fully qualified domain name (FQDN) */
>>> >>  #define MAX_USERNAME_SIZE 256        /* reasonable maximum for current servers */
>>> >>  #define MAX_PASSWORD_SIZE 512        /* max for windows seems to be 256 wide chars */
>>> >>
>>> >> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
>>> >> index fa68813..3f9dcf7 100644
>>> >> --- a/fs/cifs/connect.c
>>> >> +++ b/fs/cifs/connect.c
>>> >> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>>> >>                       if (string == NULL)
>>> >>                               goto out_nomem;
>>> >>
>>> >> -                     if (strnlen(string, 256) == 256) {
>>> >> +                     if (strnlen(string, MAX_DOMAINNAME_SIZE)
>>> >> +                                     == MAX_DOMAINNAME_SIZE) {
>>> >>                               printk(KERN_WARNING "CIFS: domain name too"
>>> >>                                                   " long\n");
>>> >>                               goto cifs_parse_mount_err;
>>> >> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
>>> >>
>>> >>  #ifdef CONFIG_KEYS
>>> >>
>>> >> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
>>> >> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
>>> >> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */
>>> >> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1)
>>> >>
>>> >>  /* Populate username and pw fields from keyring if possible */
>>> >>  static int
>>> >> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>> >> index 79358e3..57b1537 100644
>>> >> --- a/fs/cifs/sess.c
>>> >> +++ b/fs/cifs/sess.c
>>> >> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
>>> >>               bytes_ret = 0;
>>> >>       } else
>>> >>               bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
>>> >> -                                         256, nls_cp);
>>> >> +                                         MAX_DOMAINNAME_SIZE, nls_cp);
>>> >>       bcc_ptr += 2 * bytes_ret;
>>> >>       bcc_ptr += 2;  /* account for null terminator */
>>> >>
>>> >> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
>>> >>
>>> >>       /* copy domain */
>>> >>       if (ses->domainName != NULL) {
>>> >> -             strncpy(bcc_ptr, ses->domainName, 256);
>>> >> -             bcc_ptr += strnlen(ses->domainName, 256);
>>> >> +             strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE);
>>> >> +             bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE);
>>> >>       } /* else we will send a null domain name
>>> >>            so the server will default to its own domain */
>>> >>       *bcc_ptr = 0;
>> >
>> > Looks good...
>> >
>> > Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>
> 
> 
> -- Thanks, Steve
> 


-- 
Chen Gang
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux