Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 166faf21 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French
Browse files

cifs: fix potential buffer overrun when composing a new options string 



Consider the case where we have a very short ip= string in the original
mount options, and when we chase a referral we end up with a very long
IPv6 address. Be sure to allow for that possibility when estimating the
size of the string to allocate.

Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 62106e96

fs/cifs/cifs_dfs_ref.c

+3 −1
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 
#include <linux/slab.h>

#include <linux/vfs.h>

#include <linux/fs.h>

#include <linux/inet.h>

#include "cifsglob.h"

#include "cifsproto.h"

#include "cifsfs.h"
@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata, 
	 * assuming that we have 'unc=' and 'ip=' in

	 * the original sb_mountdata

	 */

	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;

	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +

			INET6_ADDRSTRLEN;

	mountdata = kzalloc(md_len+1, GFP_KERNEL);

	if (mountdata == NULL) {

		rc = -ENOMEM;