All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
Cc: Scott Lovenberg
	<scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
	Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
	"sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org"
	<sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>,
	linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org,
	Shirish Pargaonkar
	<shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH v2] cifs: extend the buffer length enought for sprintf() using
Date: Fri, 19 Jul 2013 06:45:31 -0400	[thread overview]
Message-ID: <20130719064531.2a9836f5@tlielax.poochiereds.net> (raw)
In-Reply-To: <51E88FF0.2010101-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>

On Fri, 19 Jul 2013 09:01:36 +0800
Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org> wrote:

> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
> length may be "255 + '\0'".
> 
> The related sprintf() may cause memory overflow, so need extend related
> buffer enough to hold all things.
> 
> It is also necessary to be sure of 'ses->domainName' must be less than
> 256, and define the related macro instead of hard code number '256'.
> 
> Signed-off-by: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
> ---
>  fs/cifs/cifsencrypt.c |    2 +-
>  fs/cifs/cifsglob.h    |    1 +
>  fs/cifs/connect.c     |    7 ++++---
>  fs/cifs/sess.c        |    6 +++---
>  4 files changed, 9 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
> index 45e57cc..bb84d7c 100644
> --- a/fs/cifs/cifsencrypt.c
> +++ b/fs/cifs/cifsencrypt.c
> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
>  		if (blobptr + attrsize > blobend)
>  			break;
>  		if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
> -			if (!attrsize)
> +			if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE)
>  				break;
>  			if (!ses->domainName) {
>  				ses->domainName =
> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
> index 33f17ed..64bb4c5 100644
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -44,6 +44,7 @@
>  #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
>  #define MAX_SERVER_SIZE 15
>  #define MAX_SHARE_SIZE 80
> +#define MAX_DOMAINNAME_SIZE 256	/* maximum fully qualified domain name (FQDN) */
>  #define MAX_USERNAME_SIZE 256	/* reasonable maximum for current servers */
>  #define MAX_PASSWORD_SIZE 512	/* max for windows seems to be 256 wide chars */
>  
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index fa68813..3f9dcf7 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>  			if (string == NULL)
>  				goto out_nomem;
>  
> -			if (strnlen(string, 256) == 256) {
> +			if (strnlen(string, MAX_DOMAINNAME_SIZE)
> +					== MAX_DOMAINNAME_SIZE) {
>  				printk(KERN_WARNING "CIFS: domain name too"
>  						    " long\n");
>  				goto cifs_parse_mount_err;
> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
>  
>  #ifdef CONFIG_KEYS
>  
> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */
> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1)
>  
>  /* Populate username and pw fields from keyring if possible */
>  static int
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 79358e3..57b1537 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
>  		bytes_ret = 0;
>  	} else
>  		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
> -					    256, nls_cp);
> +					    MAX_DOMAINNAME_SIZE, nls_cp);
>  	bcc_ptr += 2 * bytes_ret;
>  	bcc_ptr += 2;  /* account for null terminator */
>  
> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
>  
>  	/* copy domain */
>  	if (ses->domainName != NULL) {
> -		strncpy(bcc_ptr, ses->domainName, 256);
> -		bcc_ptr += strnlen(ses->domainName, 256);
> +		strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE);
> +		bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE);
>  	} /* else we will send a null domain name
>  	     so the server will default to its own domain */
>  	*bcc_ptr = 0;

Looks good...

Reviewed-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

  parent reply	other threads:[~2013-07-19 10:45 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-17  0:48 [PATCH] cifs: extend the buffer length enought for sprintf() using Chen Gang
     [not found] ` <51E5E9DA.8020603-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-17  1:58   ` Scott Lovenberg
     [not found]     ` <CAFB9KM2nJEt-O+o=4bkxNMJ2Fr0TfjkpRF=7B98=Lp9zFu8_og-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17  2:06       ` Steve French
     [not found]         ` <CAH2r5msQEbQWpE+wqEoLY_++=ywDVoAg_vmWB3kJG8=ECHC3Pg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17  2:11           ` Chen Gang
2013-07-17 18:27           ` Scott Lovenberg
     [not found]             ` <CAFB9KM0rEDyE6hb8t-gDLTDKq9kaRr4Bhs7SLBEZTnyH5u5U-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-18  1:08               ` Chen Gang
2013-07-18  6:47                 ` Scott Lovenberg
     [not found]                   ` <CAFB9KM2MbLuETpoN9wafZLq6B9StjtXnG15G16uGcOcnRM8+sA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19  1:01                     ` [PATCH v2] " Chen Gang
     [not found]                       ` <51E88FF0.2010101-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-19 10:45                         ` Jeff Layton [this message]
     [not found]                           ` <20130719064531.2a9836f5-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-19 15:46                             ` Steve French
     [not found]                               ` <CAH2r5mvccBQRikYbbUppmbCO1naSOOMJ+wVWxQEQBxhDdmnP_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19 16:18                                 ` Steve French
2013-07-22  1:21                                 ` Chen Gang
     [not found]                                   ` <51EC890D.7010306-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-31  4:59                                     ` Steve French
     [not found]                                       ` <CAH2r5mvPC0jiSDh5qTgerEV3JnRwcPPkKvnbT1QCO0CGiVngjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-31 15:55                                         ` Scott Lovenberg
2013-07-22  0:29                             ` Chen Gang
2013-07-17  2:07       ` [PATCH] " Chen Gang
2013-07-19 17:51       ` Jeff Layton
     [not found]         ` <20130719135115.2ebff0cd-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-19 19:32           ` Scott Lovenberg
     [not found]             ` <CAFB9KM1cP1rvnO66+9kz+zVhVOf+C-dAR7mVMx_uX9hT-ORLsw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19 19:48               ` Jeff Layton
2013-07-17  3:47   ` Shirish Pargaonkar
     [not found]     ` <CADT32e+Ydg5N8uWyvCKee8n4iS34LcCFgE1nrC2S8bq7GnA-hg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17  3:54       ` Steve French
2013-07-17  4:21       ` Chen Gang
2013-07-17 11:24       ` Jeff Layton
     [not found]         ` <20130717072431.5d8a22b3-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-18  1:04           ` Chen Gang
     [not found]             ` <51E73F1E.4010804-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-18  1:25               ` Jeff Layton
     [not found]                 ` <20130717212559.71b7af06-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
2013-07-18  1:31                   ` Chen Gang
2013-10-06  0:49                   ` Chen Gang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130719064531.2a9836f5@tlielax.poochiereds.net \
    --to=jlayton-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
    --cc=gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org \
    --cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
    --cc=scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    --cc=sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
    --cc=shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    --cc=smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.