Nice catch. Merged into cifs-2.6.git for-next On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@xxxxxxxxx> wrote: > For example, when mount opt is redundently specified > (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val > with kstrdup() and overwrite previous ptr (to be freed). > > Althouhg mkfs.cifs in userspace performs a bit of sanitization > (e.g., forcing one user option), current implementation is not > robust. Other options such as iocharset and domainanme are similary > vulnerable. > > Signed-off-by: Taesoo Kim <tsgatesv@xxxxxxxxx> > --- > fs/cifs/connect.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index d3aa999..4cb8450 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, > pr_warn("CIFS: username too long\n"); > goto cifs_parse_mount_err; > } > + > + kfree(vol->username); > vol->username = kstrdup(string, GFP_KERNEL); > if (!vol->username) > goto cifs_parse_mount_err; > @@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, > goto cifs_parse_mount_err; > } > > + kfree(vol->domainname); > vol->domainname = kstrdup(string, GFP_KERNEL); > if (!vol->domainname) { > pr_warn("CIFS: no memory for domainname\n"); > @@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, > } > > if (strncasecmp(string, "default", 7) != 0) { > + kfree(vol->iocharset); > vol->iocharset = kstrdup(string, > GFP_KERNEL); > if (!vol->iocharset) { > -- > 2.3.3 > -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html