Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 057d6332 authored by Chen Gang's avatar Chen Gang Committed by Steve French
Browse files

cifs: extend the buffer length enought for sprintf() using 



For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
length may be "255 + '\0'".

The related sprintf() may cause memory overflow, so need extend related
buffer enough to hold all things.

It is also necessary to be sure of 'ses->domainName' must be less than
256, and define the related macro instead of hard code number '256'.

Signed-off-by: default avatarChen Gang <gang.chen@asianux.com>
Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: default avatarScott Lovenberg <scott.lovenberg@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: default avatarSteve French <smfrench@gmail.com>
parent ecb2cf1a

fs/cifs/cifsencrypt.c

+1 −1
Original line number Diff line number Diff line
@@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp) 
		if (blobptr + attrsize > blobend)

			break;

		if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {

			if (!attrsize)

			if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN)

				break;

			if (!ses->domainName) {

				ses->domainName =

fs/cifs/cifsglob.h

+1 −0
Original line number Diff line number Diff line
@@ -44,6 +44,7 @@ 
#define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)

#define MAX_SERVER_SIZE 15

#define MAX_SHARE_SIZE 80

#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */

#define MAX_USERNAME_SIZE 256	/* reasonable maximum for current servers */

#define MAX_PASSWORD_SIZE 512	/* max for windows seems to be 256 wide chars */

fs/cifs/connect.c

+4 −3
Original line number Diff line number Diff line
@@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, 
			if (string == NULL)

				goto out_nomem;



			if (strnlen(string, 256) == 256) {

			if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN)

					== CIFS_MAX_DOMAINNAME_LEN) {

				printk(KERN_WARNING "CIFS: domain name too"

						    " long\n");

				goto cifs_parse_mount_err;
@@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses) 


#ifdef CONFIG_KEYS



/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */

#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)

/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */

#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1)



/* Populate username and pw fields from keyring if possible */

static int

fs/cifs/sess.c

+3 −3
Original line number Diff line number Diff line
@@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, 
		bytes_ret = 0;

	} else

		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,

					    256, nls_cp);

					    CIFS_MAX_DOMAINNAME_LEN, nls_cp);

	bcc_ptr += 2 * bytes_ret;

	bcc_ptr += 2;  /* account for null terminator */
@@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, 


	/* copy domain */

	if (ses->domainName != NULL) {

		strncpy(bcc_ptr, ses->domainName, 256);

		bcc_ptr += strnlen(ses->domainName, 256);

		strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);

		bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);

	} /* else we will send a null domain name

	     so the server will default to its own domain */

	*bcc_ptr = 0;