Commit f083def6 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French
Browse files

cifs: fix buffer size for tcon->nativeFileSystem field 



The buffer for this was resized recently to fix a bug. It's still
possible however that a malicious server could overflow this field
by sending characters in it that are >2 bytes in the local charset.
Double the size of the buffer to account for this possibility.

Also get rid of some really strange and seemingly pointless NULL
termination. It's NULL terminating the string in the source buffer,
but by the time that happens, we've already copied the string.

Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 27b87fe5

fs/cifs/connect.c

+2 −5
Original line number Diff line number Diff line
@@ -3756,16 +3756,13 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses, 
			    BCC(smb_buffer_response)) {

				kfree(tcon->nativeFileSystem);

				tcon->nativeFileSystem =

				    kzalloc(2*(length + 1), GFP_KERNEL);

				    kzalloc((4 * length) + 2, GFP_KERNEL);

				if (tcon->nativeFileSystem)

					cifs_strfromUCS_le(

						tcon->nativeFileSystem,

						(__le16 *) bcc_ptr,

						length, nls_codepage);

				bcc_ptr += 2 * length;

				bcc_ptr[0] = 0;	/* null terminate the string */

				bcc_ptr[1] = 0;

				bcc_ptr += 2;

				bcc_ptr += (2 * length) + 2;

			}

			/* else do not bother copying these information fields*/

		} else {

CRA Git | Maintained and supported by SUSTech CRA and CCSE