From: Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
Cc: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Scott Lovenberg
<scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org"
<sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>,
linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org,
Shirish Pargaonkar
<shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH v2] cifs: extend the buffer length enought for sprintf() using
Date: Tue, 30 Jul 2013 23:59:59 -0500 [thread overview]
Message-ID: <CAH2r5mvPC0jiSDh5qTgerEV3JnRwcPPkKvnbT1QCO0CGiVngjg@mail.gmail.com> (raw)
In-Reply-To: <51EC890D.7010306-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
I updated the version of the patch slightly which is in cifs-2.6.git
so we don't have to rename the MAX_DOMAINNAME_SIZE field multiple
times. Let me know if you see problems. It could make Scott's
followup patch a little easier to understand without the renamed
#define.
commit 057d6332b24a4497c55a761c83c823eed9e3f23b
Author: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
Date: Fri Jul 19 09:01:36 2013 +0800
cifs: extend the buffer length enought for sprintf() using
For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
length may be "255 + '\0'".
The related sprintf() may cause memory overflow, so need extend related
buffer enough to hold all things.
It is also necessary to be sure of 'ses->domainName' must be less than
256, and define the related macro instead of hard code number '256'.
Signed-off-by: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
Reviewed-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Reviewed-by: Scott Lovenberg <scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
CC: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Signed-off-by: Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 45e57cc..194f9cc 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const
struct nls_table *nls_cp)
if (blobptr + attrsize > blobend)
break;
if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
- if (!attrsize)
+ if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN)
break;
if (!ses->domainName) {
ses->domainName =
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1fdc370..0e68893 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -44,6 +44,7 @@
#define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
#define MAX_SERVER_SIZE 15
#define MAX_SHARE_SIZE 80
+#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */
#define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */
#define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index fa68813..d67c550 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata,
const char *devname,
if (string == NULL)
goto out_nomem;
- if (strnlen(string, 256) == 256) {
+ if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN)
+ == CIFS_MAX_DOMAINNAME_LEN) {
printk(KERN_WARNING "CIFS: domain name too"
" long\n");
goto cifs_parse_mount_err;
@@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
#ifdef CONFIG_KEYS
-/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
-#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
+/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */
+#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1)
/* Populate username and pw fields from keyring if possible */
static int
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 79358e3..08dd37b 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -197,7 +197,7 @@ static void unicode_domain_string(char
**pbcc_area, struct cifs_ses *ses,
bytes_ret = 0;
} else
bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
- 256, nls_cp);
+ CIFS_MAX_DOMAINNAME_LEN, nls_cp);
bcc_ptr += 2 * bytes_ret;
bcc_ptr += 2; /* account for null terminator */
@@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area,
struct cifs_ses *ses,
/* copy domain */
if (ses->domainName != NULL) {
- strncpy(bcc_ptr, ses->domainName, 256);
- bcc_ptr += strnlen(ses->domainName, 256);
+ strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
+ bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
} /* else we will send a null domain name
so the server will default to its own domain */
*bcc_ptr = 0;
On Sun, Jul 21, 2013 at 8:21 PM, Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org> wrote:
> On 07/19/2013 11:46 PM, Steve French wrote:
>> merged into cifs-2.6.git
>>
>
> Thanks.
>
>> On Fri, Jul 19, 2013 at 5:45 AM, Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>>> > On Fri, 19 Jul 2013 09:01:36 +0800
>>> > Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org> wrote:
>>> >
>>>> >> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
>>>> >> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
>>>> >> length may be "255 + '\0'".
>>>> >>
>>>> >> The related sprintf() may cause memory overflow, so need extend related
>>>> >> buffer enough to hold all things.
>>>> >>
>>>> >> It is also necessary to be sure of 'ses->domainName' must be less than
>>>> >> 256, and define the related macro instead of hard code number '256'.
>>>> >>
>>>> >> Signed-off-by: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
>>>> >> ---
>>>> >> fs/cifs/cifsencrypt.c | 2 +-
>>>> >> fs/cifs/cifsglob.h | 1 +
>>>> >> fs/cifs/connect.c | 7 ++++---
>>>> >> fs/cifs/sess.c | 6 +++---
>>>> >> 4 files changed, 9 insertions(+), 7 deletions(-)
>>>> >>
>>>> >> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
>>>> >> index 45e57cc..bb84d7c 100644
>>>> >> --- a/fs/cifs/cifsencrypt.c
>>>> >> +++ b/fs/cifs/cifsencrypt.c
>>>> >> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
>>>> >> if (blobptr + attrsize > blobend)
>>>> >> break;
>>>> >> if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
>>>> >> - if (!attrsize)
>>>> >> + if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE)
>>>> >> break;
>>>> >> if (!ses->domainName) {
>>>> >> ses->domainName =
>>>> >> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>>>> >> index 33f17ed..64bb4c5 100644
>>>> >> --- a/fs/cifs/cifsglob.h
>>>> >> +++ b/fs/cifs/cifsglob.h
>>>> >> @@ -44,6 +44,7 @@
>>>> >> #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
>>>> >> #define MAX_SERVER_SIZE 15
>>>> >> #define MAX_SHARE_SIZE 80
>>>> >> +#define MAX_DOMAINNAME_SIZE 256 /* maximum fully qualified domain name (FQDN) */
>>>> >> #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */
>>>> >> #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */
>>>> >>
>>>> >> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
>>>> >> index fa68813..3f9dcf7 100644
>>>> >> --- a/fs/cifs/connect.c
>>>> >> +++ b/fs/cifs/connect.c
>>>> >> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>>>> >> if (string == NULL)
>>>> >> goto out_nomem;
>>>> >>
>>>> >> - if (strnlen(string, 256) == 256) {
>>>> >> + if (strnlen(string, MAX_DOMAINNAME_SIZE)
>>>> >> + == MAX_DOMAINNAME_SIZE) {
>>>> >> printk(KERN_WARNING "CIFS: domain name too"
>>>> >> " long\n");
>>>> >> goto cifs_parse_mount_err;
>>>> >> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
>>>> >>
>>>> >> #ifdef CONFIG_KEYS
>>>> >>
>>>> >> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
>>>> >> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
>>>> >> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */
>>>> >> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1)
>>>> >>
>>>> >> /* Populate username and pw fields from keyring if possible */
>>>> >> static int
>>>> >> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>>> >> index 79358e3..57b1537 100644
>>>> >> --- a/fs/cifs/sess.c
>>>> >> +++ b/fs/cifs/sess.c
>>>> >> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
>>>> >> bytes_ret = 0;
>>>> >> } else
>>>> >> bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
>>>> >> - 256, nls_cp);
>>>> >> + MAX_DOMAINNAME_SIZE, nls_cp);
>>>> >> bcc_ptr += 2 * bytes_ret;
>>>> >> bcc_ptr += 2; /* account for null terminator */
>>>> >>
>>>> >> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
>>>> >>
>>>> >> /* copy domain */
>>>> >> if (ses->domainName != NULL) {
>>>> >> - strncpy(bcc_ptr, ses->domainName, 256);
>>>> >> - bcc_ptr += strnlen(ses->domainName, 256);
>>>> >> + strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE);
>>>> >> + bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE);
>>>> >> } /* else we will send a null domain name
>>>> >> so the server will default to its own domain */
>>>> >> *bcc_ptr = 0;
>>> >
>>> > Looks good...
>>> >
>>> > Reviewed-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>
>>
>> -- Thanks, Steve
>>
>
>
> --
> Chen Gang
--
Thanks,
Steve
next prev parent reply other threads:[~2013-07-31 4:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-17 0:48 [PATCH] cifs: extend the buffer length enought for sprintf() using Chen Gang
[not found] ` <51E5E9DA.8020603-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-17 1:58 ` Scott Lovenberg
[not found] ` <CAFB9KM2nJEt-O+o=4bkxNMJ2Fr0TfjkpRF=7B98=Lp9zFu8_og-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17 2:06 ` Steve French
[not found] ` <CAH2r5msQEbQWpE+wqEoLY_++=ywDVoAg_vmWB3kJG8=ECHC3Pg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17 2:11 ` Chen Gang
2013-07-17 18:27 ` Scott Lovenberg
[not found] ` <CAFB9KM0rEDyE6hb8t-gDLTDKq9kaRr4Bhs7SLBEZTnyH5u5U-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-18 1:08 ` Chen Gang
2013-07-18 6:47 ` Scott Lovenberg
[not found] ` <CAFB9KM2MbLuETpoN9wafZLq6B9StjtXnG15G16uGcOcnRM8+sA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19 1:01 ` [PATCH v2] " Chen Gang
[not found] ` <51E88FF0.2010101-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-19 10:45 ` Jeff Layton
[not found] ` <20130719064531.2a9836f5-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-19 15:46 ` Steve French
[not found] ` <CAH2r5mvccBQRikYbbUppmbCO1naSOOMJ+wVWxQEQBxhDdmnP_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19 16:18 ` Steve French
2013-07-22 1:21 ` Chen Gang
[not found] ` <51EC890D.7010306-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-31 4:59 ` Steve French [this message]
[not found] ` <CAH2r5mvPC0jiSDh5qTgerEV3JnRwcPPkKvnbT1QCO0CGiVngjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-31 15:55 ` Scott Lovenberg
2013-07-22 0:29 ` Chen Gang
2013-07-17 2:07 ` [PATCH] " Chen Gang
2013-07-19 17:51 ` Jeff Layton
[not found] ` <20130719135115.2ebff0cd-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-19 19:32 ` Scott Lovenberg
[not found] ` <CAFB9KM1cP1rvnO66+9kz+zVhVOf+C-dAR7mVMx_uX9hT-ORLsw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-19 19:48 ` Jeff Layton
2013-07-17 3:47 ` Shirish Pargaonkar
[not found] ` <CADT32e+Ydg5N8uWyvCKee8n4iS34LcCFgE1nrC2S8bq7GnA-hg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-07-17 3:54 ` Steve French
2013-07-17 4:21 ` Chen Gang
2013-07-17 11:24 ` Jeff Layton
[not found] ` <20130717072431.5d8a22b3-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2013-07-18 1:04 ` Chen Gang
[not found] ` <51E73F1E.4010804-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
2013-07-18 1:25 ` Jeff Layton
[not found] ` <20130717212559.71b7af06-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
2013-07-18 1:31 ` Chen Gang
2013-10-06 0:49 ` Chen Gang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH2r5mvPC0jiSDh5qTgerEV3JnRwcPPkKvnbT1QCO0CGiVngjg@mail.gmail.com \
--to=smfrench-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
--cc=scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
--cc=shirishpargaonkar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.