| From 1fc29bacedeabb278080e31bb9c1ecb49f143c3b Mon Sep 17 00:00:00 2001 |
| From: Jeff Layton <jlayton@redhat.com> |
| Date: Fri, 31 May 2013 10:00:18 -0400 |
| Subject: cifs: fix off-by-one bug in build_unc_path_to_root |
| |
| From: Jeff Layton <jlayton@redhat.com> |
| |
| commit 1fc29bacedeabb278080e31bb9c1ecb49f143c3b upstream. |
| |
| commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed |
| the code such that the vol->prepath no longer contained a leading |
| delimiter and then fixed up the places that accessed that field to |
| account for that change. |
| |
| One spot in build_unc_path_to_root was missed however. When doing the |
| pointer addition on pos, that patch failed to account for the fact that |
| we had already incremented "pos" by one when adding the length of the |
| prepath. This caused a buffer overrun by one byte. |
| |
| This patch fixes the problem by correcting the handling of "pos". |
| |
| Reported-by: Marcus Moeller <marcus.moeller@gmx.ch> |
| Reported-by: Ken Fallon <ken.fallon@gmail.com> |
| Signed-off-by: Jeff Layton <jlayton@redhat.com> |
| Signed-off-by: Steve French <sfrench@us.ibm.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/cifs/connect.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/fs/cifs/connect.c |
| +++ b/fs/cifs/connect.c |
| @@ -3332,8 +3332,8 @@ build_unc_path_to_root(const struct smb_ |
| pos = full_path + unc_len; |
| |
| if (pplen) { |
| - *pos++ = CIFS_DIR_SEP(cifs_sb); |
| - strncpy(pos, vol->prepath, pplen); |
| + *pos = CIFS_DIR_SEP(cifs_sb); |
| + strncpy(pos + 1, vol->prepath, pplen); |
| pos += pplen; |
| } |
| |