From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve French Subject: Re: [PATCH v2] cifs: extend the buffer length enought for sprintf() using Date: Tue, 30 Jul 2013 23:59:59 -0500 Message-ID: References: <51E5E9DA.8020603@asianux.com> <51E74008.8050308@asianux.com> <51E88FF0.2010101@asianux.com> <20130719064531.2a9836f5@tlielax.poochiereds.net> <51EC890D.7010306@asianux.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Jeff Layton , Scott Lovenberg , "sfrench-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org" , linux-cifs , samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org, Shirish Pargaonkar To: Chen Gang Return-path: In-Reply-To: <51EC890D.7010306-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org> Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-ID: I updated the version of the patch slightly which is in cifs-2.6.git so we don't have to rename the MAX_DOMAINNAME_SIZE field multiple times. Let me know if you see problems. It could make Scott's followup patch a little easier to understand without the renamed #define. commit 057d6332b24a4497c55a761c83c823eed9e3f23b Author: Chen Gang Date: Fri Jul 19 09:01:36 2013 +0800 cifs: extend the buffer length enought for sprintf() using For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName' length may be "255 + '\0'". The related sprintf() may cause memory overflow, so need extend related buffer enough to hold all things. It is also necessary to be sure of 'ses->domainName' must be less than 256, and define the related macro instead of hard code number '256'. Signed-off-by: Chen Gang Reviewed-by: Jeff Layton Reviewed-by: Shirish Pargaonkar Reviewed-by: Scott Lovenberg CC: Signed-off-by: Steve French diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c index 45e57cc..194f9cc 100644 --- a/fs/cifs/cifsencrypt.c +++ b/fs/cifs/cifsencrypt.c @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp) if (blobptr + attrsize > blobend) break; if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { - if (!attrsize) + if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN) break; if (!ses->domainName) { ses->domainName = diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 1fdc370..0e68893 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -44,6 +44,7 @@ #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) #define MAX_SERVER_SIZE 15 #define MAX_SHARE_SIZE 80 +#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */ #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index fa68813..d67c550 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, if (string == NULL) goto out_nomem; - if (strnlen(string, 256) == 256) { + if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN) + == CIFS_MAX_DOMAINNAME_LEN) { printk(KERN_WARNING "CIFS: domain name too" " long\n"); goto cifs_parse_mount_err; @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses) #ifdef CONFIG_KEYS -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */ -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1) +/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */ +#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1) /* Populate username and pw fields from keyring if possible */ static int diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 79358e3..08dd37b 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, bytes_ret = 0; } else bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, - 256, nls_cp); + CIFS_MAX_DOMAINNAME_LEN, nls_cp); bcc_ptr += 2 * bytes_ret; bcc_ptr += 2; /* account for null terminator */ @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, /* copy domain */ if (ses->domainName != NULL) { - strncpy(bcc_ptr, ses->domainName, 256); - bcc_ptr += strnlen(ses->domainName, 256); + strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); + bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); } /* else we will send a null domain name so the server will default to its own domain */ *bcc_ptr = 0; On Sun, Jul 21, 2013 at 8:21 PM, Chen Gang wrote: > On 07/19/2013 11:46 PM, Steve French wrote: >> merged into cifs-2.6.git >> > > Thanks. > >> On Fri, Jul 19, 2013 at 5:45 AM, Jeff Layton wrote: >>> > On Fri, 19 Jul 2013 09:01:36 +0800 >>> > Chen Gang wrote: >>> > >>>> >> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length >>>> >> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName' >>>> >> length may be "255 + '\0'". >>>> >> >>>> >> The related sprintf() may cause memory overflow, so need extend related >>>> >> buffer enough to hold all things. >>>> >> >>>> >> It is also necessary to be sure of 'ses->domainName' must be less than >>>> >> 256, and define the related macro instead of hard code number '256'. >>>> >> >>>> >> Signed-off-by: Chen Gang >>>> >> --- >>>> >> fs/cifs/cifsencrypt.c | 2 +- >>>> >> fs/cifs/cifsglob.h | 1 + >>>> >> fs/cifs/connect.c | 7 ++++--- >>>> >> fs/cifs/sess.c | 6 +++--- >>>> >> 4 files changed, 9 insertions(+), 7 deletions(-) >>>> >> >>>> >> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c >>>> >> index 45e57cc..bb84d7c 100644 >>>> >> --- a/fs/cifs/cifsencrypt.c >>>> >> +++ b/fs/cifs/cifsencrypt.c >>>> >> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp) >>>> >> if (blobptr + attrsize > blobend) >>>> >> break; >>>> >> if (type == NTLMSSP_AV_NB_DOMAIN_NAME) { >>>> >> - if (!attrsize) >>>> >> + if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE) >>>> >> break; >>>> >> if (!ses->domainName) { >>>> >> ses->domainName = >>>> >> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h >>>> >> index 33f17ed..64bb4c5 100644 >>>> >> --- a/fs/cifs/cifsglob.h >>>> >> +++ b/fs/cifs/cifsglob.h >>>> >> @@ -44,6 +44,7 @@ >>>> >> #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1) >>>> >> #define MAX_SERVER_SIZE 15 >>>> >> #define MAX_SHARE_SIZE 80 >>>> >> +#define MAX_DOMAINNAME_SIZE 256 /* maximum fully qualified domain name (FQDN) */ >>>> >> #define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */ >>>> >> #define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ >>>> >> >>>> >> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c >>>> >> index fa68813..3f9dcf7 100644 >>>> >> --- a/fs/cifs/connect.c >>>> >> +++ b/fs/cifs/connect.c >>>> >> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, >>>> >> if (string == NULL) >>>> >> goto out_nomem; >>>> >> >>>> >> - if (strnlen(string, 256) == 256) { >>>> >> + if (strnlen(string, MAX_DOMAINNAME_SIZE) >>>> >> + == MAX_DOMAINNAME_SIZE) { >>>> >> printk(KERN_WARNING "CIFS: domain name too" >>>> >> " long\n"); >>>> >> goto cifs_parse_mount_err; >>>> >> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses) >>>> >> >>>> >> #ifdef CONFIG_KEYS >>>> >> >>>> >> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */ >>>> >> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1) >>>> >> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */ >>>> >> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1) >>>> >> >>>> >> /* Populate username and pw fields from keyring if possible */ >>>> >> static int >>>> >> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c >>>> >> index 79358e3..57b1537 100644 >>>> >> --- a/fs/cifs/sess.c >>>> >> +++ b/fs/cifs/sess.c >>>> >> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, >>>> >> bytes_ret = 0; >>>> >> } else >>>> >> bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName, >>>> >> - 256, nls_cp); >>>> >> + MAX_DOMAINNAME_SIZE, nls_cp); >>>> >> bcc_ptr += 2 * bytes_ret; >>>> >> bcc_ptr += 2; /* account for null terminator */ >>>> >> >>>> >> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, >>>> >> >>>> >> /* copy domain */ >>>> >> if (ses->domainName != NULL) { >>>> >> - strncpy(bcc_ptr, ses->domainName, 256); >>>> >> - bcc_ptr += strnlen(ses->domainName, 256); >>>> >> + strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE); >>>> >> + bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE); >>>> >> } /* else we will send a null domain name >>>> >> so the server will default to its own domain */ >>>> >> *bcc_ptr = 0; >>> > >>> > Looks good... >>> > >>> > Reviewed-by: Jeff Layton >> >> >> -- Thanks, Steve >> > > > -- > Chen Gang -- Thanks, Steve