Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4906e50b authored by Pavel Shilovsky's avatar Pavel Shilovsky Committed by Steve French
Browse files

CIFS: Fix memory over bound bug in cifs_parse_mount_options 



While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: default avatarPavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent f0e615c3

fs/cifs/connect.c

+3 −2
Original line number Diff line number Diff line
@@ -807,8 +807,7 @@ static int 
cifs_parse_mount_options(char *options, const char *devname,

			 struct smb_vol *vol)

{

	char *value;

	char *data;

	char *value, *data, *end;

	unsigned int  temp_len, i, j;

	char separator[2];

	short int override_uid = -1;
@@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname, 
	if (!options)

		return 1;



	end = options + strlen(options);

	if (strncmp(options, "sep=", 4) == 0) {

		if (options[4] != 0) {

			separator[0] = options[4];
@@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname, 
			the only illegal character in a password is null */



			if ((value[temp_len] == 0) &&

			    (value + temp_len < end) &&

			    (value[temp_len+1] == separator[0])) {

				/* reinsert comma */

				value[temp_len] = separator[0];