redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

CIFS: Fix memory over bound bug in cifs_parse_mount_options 

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
hifive-unleashed-5.1
Pavel Shilovsky 2011-04-14 22:00:56 +04:00 committed by Steve French
parent f0e615c3cb
commit 4906e50b37
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
fs/cifs/connect.c
View File

@ -807,8 +807,7 @@ static int
cifs_parse_mount_options(char *options, const char *devname,
struct smb_vol *vol)
{
char *value;
char *data;
char *value, *data, *end;
unsigned int temp_len, i, j;
char separator[2];
short int override_uid = -1;
@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname,
if (!options)
return 1;
end = options + strlen(options);
if (strncmp(options, "sep=", 4) == 0) {
if (options[4] != 0) {
separator[0] = options[4];
@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname,
the only illegal character in a password is null */
if ((value[temp_len] == 0) &&
(value + temp_len < end) &&
(value[temp_len+1] == separator[0])) {
/* reinsert comma */
value[temp_len] = separator[0];