summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2009-05-09 11:19:05 +0530
committerGreg Kroah-Hartman <gregkh@suse.de>2009-05-18 16:34:56 -0700
commit5b0ecf297e133be1e4767b1e446a6d7902274c13 (patch)
tree0f505d0efd435005b59b0095a41d4b127ba86f1e
parent6c3823bc3abf2d10f9220cb1847060aa20cee77e (diff)
downloadlwn-5b0ecf297e133be1e4767b1e446a6d7902274c13.tar.gz
lwn-5b0ecf297e133be1e4767b1e446a6d7902274c13.zip
cifs: Fix buffer size for tcon->nativeFileSystem field
Commit f083def68f84b04fe3f97312498911afce79609e refreshed. cifs: fix buffer size for tcon->nativeFileSystem field The buffer for this was resized recently to fix a bug. It's still possible however that a malicious server could overflow this field by sending characters in it that are >2 bytes in the local charset. Double the size of the buffer to account for this possibility. Also get rid of some really strange and seemingly pointless NULL termination. It's NULL terminating the string in the source buffer, but by the time that happens, we've already copied the string. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Cc: Suresh Jayaraman <sjayaraman@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--fs/cifs/connect.c6
1 files changed, 1 insertions, 5 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4b64f39a85da..0344b262a192 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3667,16 +3667,12 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
BCC(smb_buffer_response)) {
kfree(tcon->nativeFileSystem);
tcon->nativeFileSystem =
- kzalloc(2*(length + 1), GFP_KERNEL);
+ kzalloc((4 * length) + 2, GFP_KERNEL);
if (tcon->nativeFileSystem)
cifs_strfromUCS_le(
tcon->nativeFileSystem,
(__le16 *) bcc_ptr,
length, nls_codepage);
- bcc_ptr += 2 * length;
- bcc_ptr[0] = 0; /* null terminate the string */
- bcc_ptr[1] = 0;
- bcc_ptr += 2;
}
/* else do not bother copying these information fields*/
} else {