All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] CIFS: Fix memory over bound bug in cifs_parse_mount_options
@ 2011-04-14 18:00 Pavel Shilovsky
       [not found] ` <1302804056-22865-1-git-send-email-piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Pavel Shilovsky @ 2011-04-14 18:00 UTC (permalink / raw)
  To: linux-cifs-u79uwXL29TY76Z2rM5mHXA

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
---
 fs/cifs/connect.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index db9d55b..4bc862a 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -807,8 +807,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
 			 struct smb_vol *vol)
 {
-	char *value;
-	char *data;
+	char *value, *data, *end;
 	unsigned int  temp_len, i, j;
 	char separator[2];
 	short int override_uid = -1;
@@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 	if (!options)
 		return 1;
 
+	end = options + strlen(options);
 	if (strncmp(options, "sep=", 4) == 0) {
 		if (options[4] != 0) {
 			separator[0] = options[4];
@@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 			the only illegal character in a password is null */
 
 			if ((value[temp_len] == 0) &&
+			    (value + temp_len < end) &&
 			    (value[temp_len+1] == separator[0])) {
 				/* reinsert comma */
 				value[temp_len] = separator[0];
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] CIFS: Fix memory over bound bug in cifs_parse_mount_options
       [not found] ` <1302804056-22865-1-git-send-email-piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
@ 2011-04-15 13:07   ` Jeff Layton
  2011-04-21 17:25   ` Steve French
  1 sibling, 0 replies; 3+ messages in thread
From: Jeff Layton @ 2011-04-15 13:07 UTC (permalink / raw)
  To: Pavel Shilovsky; +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA

On Thu, 14 Apr 2011 22:00:56 +0400
Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org> wrote:

> While password processing we can get out of options array bound if
> the next character after array is delimiter. The patch adds a check
> if we reach the end.
> 
> Signed-off-by: Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
> ---
>  fs/cifs/connect.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index db9d55b..4bc862a 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -807,8 +807,7 @@ static int
>  cifs_parse_mount_options(char *options, const char *devname,
>  			 struct smb_vol *vol)
>  {
> -	char *value;
> -	char *data;
> +	char *value, *data, *end;
>  	unsigned int  temp_len, i, j;
>  	char separator[2];
>  	short int override_uid = -1;
> @@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname,
>  	if (!options)
>  		return 1;
>  
> +	end = options + strlen(options);
>  	if (strncmp(options, "sep=", 4) == 0) {
>  		if (options[4] != 0) {
>  			separator[0] = options[4];
> @@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname,
>  			the only illegal character in a password is null */
>  
>  			if ((value[temp_len] == 0) &&
> +			    (value + temp_len < end) &&
>  			    (value[temp_len+1] == separator[0])) {
>  				/* reinsert comma */
>  				value[temp_len] = separator[0];

Ok, looks plausible. This code to parse out the password really makes
me want to vomit though. It would be nice to clean that up.

Reviewed-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] CIFS: Fix memory over bound bug in cifs_parse_mount_options
       [not found] ` <1302804056-22865-1-git-send-email-piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
  2011-04-15 13:07   ` Jeff Layton
@ 2011-04-21 17:25   ` Steve French
  1 sibling, 0 replies; 3+ messages in thread
From: Steve French @ 2011-04-21 17:25 UTC (permalink / raw)
  To: Pavel Shilovsky; +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA

Merged into for-next in cifs-2.6.git

On Thu, Apr 14, 2011 at 1:00 PM, Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org> wrote:
> While password processing we can get out of options array bound if
> the next character after array is delimiter. The patch adds a check
> if we reach the end.
>
> Signed-off-by: Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
> ---
>  fs/cifs/connect.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index db9d55b..4bc862a 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -807,8 +807,7 @@ static int
>  cifs_parse_mount_options(char *options, const char *devname,
>                         struct smb_vol *vol)
>  {
> -       char *value;
> -       char *data;
> +       char *value, *data, *end;
>        unsigned int  temp_len, i, j;
>        char separator[2];
>        short int override_uid = -1;
> @@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname,
>        if (!options)
>                return 1;
>
> +       end = options + strlen(options);
>        if (strncmp(options, "sep=", 4) == 0) {
>                if (options[4] != 0) {
>                        separator[0] = options[4];
> @@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname,
>                        the only illegal character in a password is null */
>
>                        if ((value[temp_len] == 0) &&
> +                           (value + temp_len < end) &&
>                            (value[temp_len+1] == separator[0])) {
>                                /* reinsert comma */
>                                value[temp_len] = separator[0];
> --
> 1.7.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-04-21 17:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-04-14 18:00 [PATCH] CIFS: Fix memory over bound bug in cifs_parse_mount_options Pavel Shilovsky
     [not found] ` <1302804056-22865-1-git-send-email-piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org>
2011-04-15 13:07   ` Jeff Layton
2011-04-21 17:25   ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.