Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 301a6a31 authored by Steve French's avatar Steve French
Browse files

[CIFS] Maximum username length check in session setup does not match 



Fix length check reported by D. Binderman (see below)

d binderman <dcb314@hotmail.com> wrote:
>
> I just ran the sourceforge tool cppcheck over the source code of the
> new Linux kernel 2.6.33-rc6
>
> It said
>
> [./cifs/sess.c:250]: (error) Buffer access out-of-bounds

May turn out to be harmless, but best to be safe. Note max
username length is defined to 32 due to Linux (Windows
maximum is 20).

Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent f12f98db

fs/cifs/sess.c

+5 −6
Original line number Diff line number Diff line
@@ -223,9 +223,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, 
		/* null user mount */

		*bcc_ptr = 0;

		*(bcc_ptr+1) = 0;

	} else { /* 300 should be long enough for any conceivable user name */

	} else {

		bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,

					  300, nls_cp);

					  MAX_USERNAME_SIZE, nls_cp);

	}

	bcc_ptr += 2 * bytes_ret;

	bcc_ptr += 2; /* account for null termination */
@@ -246,11 +246,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, 
	/* copy user */

	if (ses->userName == NULL) {

		/* BB what about null user mounts - check that we do this BB */

	} else { /* 300 should be long enough for any conceivable user name */

		strncpy(bcc_ptr, ses->userName, 300);

	} else {

		strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);

	}

	/* BB improve check for overflow */

	bcc_ptr += strnlen(ses->userName, 300);

	bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);

	*bcc_ptr = 0;

	bcc_ptr++; /* account for null termination */