| From d4e8f7fb97bed3a2f1bed7e687e965da8b0e30df Mon Sep 17 00:00:00 2001 |
| From: Pavel Shilovsky <piastry@etersoft.ru> |
| Date: Thu, 14 Apr 2011 22:00:56 +0400 |
| Subject: [PATCH] CIFS: Fix memory over bound bug in cifs_parse_mount_options |
| |
| commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream. |
| |
| While password processing we can get out of options array bound if |
| the next character after array is delimiter. The patch adds a check |
| if we reach the end. |
| |
| Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> |
| Reviewed-by: Jeff Layton <jlayton@redhat.com> |
| Signed-off-by: Steve French <sfrench@us.ibm.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c |
| index f6afb59..cebbc29 100644 |
| --- a/fs/cifs/connect.c |
| +++ b/fs/cifs/connect.c |
| @@ -800,8 +800,7 @@ static int |
| cifs_parse_mount_options(char *options, const char *devname, |
| struct smb_vol *vol) |
| { |
| - char *value; |
| - char *data; |
| + char *value, *data, *end; |
| unsigned int temp_len, i, j; |
| char separator[2]; |
| short int override_uid = -1; |
| @@ -844,6 +843,7 @@ cifs_parse_mount_options(char *options, const char *devname, |
| if (!options) |
| return 1; |
| |
| + end = options + strlen(options); |
| if (strncmp(options, "sep=", 4) == 0) { |
| if (options[4] != 0) { |
| separator[0] = options[4]; |
| @@ -908,6 +908,7 @@ cifs_parse_mount_options(char *options, const char *devname, |
| the only illegal character in a password is null */ |
| |
| if ((value[temp_len] == 0) && |
| + (value + temp_len < end) && |
| (value[temp_len+1] == separator[0])) { |
| /* reinsert comma */ |
| value[temp_len] = separator[0]; |
| -- |
| 1.7.7 |
| |
