On Wed, 11 Jan 2012 11:24:03 -0600 Steve French <smfrench@xxxxxxxxx> wrote: > On Wed, Jan 11, 2012 at 9:50 AM, Shirish Pargaonkar > <shirishpargaonkar@xxxxxxxxx> wrote: > > On Wed, Jan 11, 2012 at 1:46 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > >> On 32 bit systems num_aces * sizeof(struct cifs_ace *) could overflow > >> leading to a smaller ppace buffer than we expected. > >> > >> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > >> > >> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c > >> index 72ddf23..c1b2544 100644 > >> --- a/fs/cifs/cifsacl.c > >> +++ b/fs/cifs/cifsacl.c > >> @@ -909,6 +909,8 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl, > >> umode_t group_mask = S_IRWXG; > >> umode_t other_mask = S_IRWXU | S_IRWXG | S_IRWXO; > >> > >> + if (num_aces > ULONG_MAX / sizeof(struct cifs_ace *)) > > > > Should an error/warning (like cifs client can't handle these many aces or > > possible erroneous number of aces sent by server etc.) be logged before > > returning? > > > >> + return; > >> ppace = kmalloc(num_aces * sizeof(struct cifs_ace *), > >> GFP_KERNEL); > >> if (!ppace) { > > Perhaps. Also note that you would overflow maximum smb size if num > aces is huge > so would you have even gotten this far? > Only if the smb frame is properly formed. It's possible that it's corrupt in such a way that the num_aces field is much larger than it should be, but the rest of the frame looks OK. -- Jeff Layton <jlayton@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html