Nice catch.
Merged into cifs-2.6.git for-next
On Sat, Mar 21, 2015 at 6:08 PM, Taesoo Kim <tsgatesv@xxxxxxxxx> wrote:
> For example, when mount opt is redundently specified
> (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val
> with kstrdup() and overwrite previous ptr (to be freed).
>
> Althouhg mkfs.cifs in userspace performs a bit of sanitization
> (e.g., forcing one user option), current implementation is not
> robust. Other options such as iocharset and domainanme are similary
> vulnerable.
>
> Signed-off-by: Taesoo Kim <tsgatesv@xxxxxxxxx>
> ---
> fs/cifs/connect.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index d3aa999..4cb8450 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
> pr_warn("CIFS: username too long\n");
> goto cifs_parse_mount_err;
> }
> +
> + kfree(vol->username);
> vol->username = kstrdup(string, GFP_KERNEL);
> if (!vol->username)
> goto cifs_parse_mount_err;
> @@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
> goto cifs_parse_mount_err;
> }
>
> + kfree(vol->domainname);
> vol->domainname = kstrdup(string, GFP_KERNEL);
> if (!vol->domainname) {
> pr_warn("CIFS: no memory for domainname\n");
> @@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
> }
>
> if (strncasecmp(string, "default", 7) != 0) {
> + kfree(vol->iocharset);
> vol->iocharset = kstrdup(string,
> GFP_KERNEL);
> if (!vol->iocharset) {
> --
> 2.3.3
>
--
Thanks,
Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
