diff mbox

[v2] cifs: extend the buffer length enought for sprintf() using

Message ID CAH2r5mvPC0jiSDh5qTgerEV3JnRwcPPkKvnbT1QCO0CGiVngjg@mail.gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Steve French July 31, 2013, 4:59 a.m. UTC
I updated the version of the patch slightly which is in cifs-2.6.git
so we don't have to rename the MAX_DOMAINNAME_SIZE field multiple
times.  Let me know if you see problems.  It could make Scott's
followup patch a little easier to understand without the renamed
#define.

commit 057d6332b24a4497c55a761c83c823eed9e3f23b
Author: Chen Gang <gang.chen@asianux.com>
Date:   Fri Jul 19 09:01:36 2013 +0800

    cifs: extend the buffer length enought for sprintf() using

    For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
    is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
    length may be "255 + '\0'".

    The related sprintf() may cause memory overflow, so need extend related
    buffer enough to hold all things.

    It is also necessary to be sure of 'ses->domainName' must be less than
    256, and define the related macro instead of hard code number '256'.

    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
    Reviewed-by: Scott Lovenberg <scott.lovenberg@gmail.com>
    CC: <stable@vger.kernel.org>
    Signed-off-by: Steve French <smfrench@gmail.com>


@@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area,
struct cifs_ses *ses,

 	/* copy domain */
 	if (ses->domainName != NULL) {
-		strncpy(bcc_ptr, ses->domainName, 256);
-		bcc_ptr += strnlen(ses->domainName, 256);
+		strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
+		bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
 	} /* else we will send a null domain name
 	     so the server will default to its own domain */
 	*bcc_ptr = 0;

On Sun, Jul 21, 2013 at 8:21 PM, Chen Gang <gang.chen@asianux.com> wrote:
> On 07/19/2013 11:46 PM, Steve French wrote:
>> merged into cifs-2.6.git
>>
>
> Thanks.
>
>> On Fri, Jul 19, 2013 at 5:45 AM, Jeff Layton <jlayton@redhat.com> wrote:
>>> > On Fri, 19 Jul 2013 09:01:36 +0800
>>> > Chen Gang <gang.chen@asianux.com> wrote:
>>> >
>>>> >> For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
>>>> >> is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
>>>> >> length may be "255 + '\0'".
>>>> >>
>>>> >> The related sprintf() may cause memory overflow, so need extend related
>>>> >> buffer enough to hold all things.
>>>> >>
>>>> >> It is also necessary to be sure of 'ses->domainName' must be less than
>>>> >> 256, and define the related macro instead of hard code number '256'.
>>>> >>
>>>> >> Signed-off-by: Chen Gang <gang.chen@asianux.com>
>>>> >> ---
>>>> >>  fs/cifs/cifsencrypt.c |    2 +-
>>>> >>  fs/cifs/cifsglob.h    |    1 +
>>>> >>  fs/cifs/connect.c     |    7 ++++---
>>>> >>  fs/cifs/sess.c        |    6 +++---
>>>> >>  4 files changed, 9 insertions(+), 7 deletions(-)
>>>> >>
>>>> >> diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
>>>> >> index 45e57cc..bb84d7c 100644
>>>> >> --- a/fs/cifs/cifsencrypt.c
>>>> >> +++ b/fs/cifs/cifsencrypt.c
>>>> >> @@ -421,7 +421,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
>>>> >>               if (blobptr + attrsize > blobend)
>>>> >>                       break;
>>>> >>               if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
>>>> >> -                     if (!attrsize)
>>>> >> +                     if (!attrsize || attrsize >= MAX_DOMAINNAME_SIZE)
>>>> >>                               break;
>>>> >>                       if (!ses->domainName) {
>>>> >>                               ses->domainName =
>>>> >> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
>>>> >> index 33f17ed..64bb4c5 100644
>>>> >> --- a/fs/cifs/cifsglob.h
>>>> >> +++ b/fs/cifs/cifsglob.h
>>>> >> @@ -44,6 +44,7 @@
>>>> >>  #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
>>>> >>  #define MAX_SERVER_SIZE 15
>>>> >>  #define MAX_SHARE_SIZE 80
>>>> >> +#define MAX_DOMAINNAME_SIZE 256      /* maximum fully qualified domain name (FQDN) */
>>>> >>  #define MAX_USERNAME_SIZE 256        /* reasonable maximum for current servers */
>>>> >>  #define MAX_PASSWORD_SIZE 512        /* max for windows seems to be 256 wide chars */
>>>> >>
>>>> >> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
>>>> >> index fa68813..3f9dcf7 100644
>>>> >> --- a/fs/cifs/connect.c
>>>> >> +++ b/fs/cifs/connect.c
>>>> >> @@ -1675,7 +1675,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
>>>> >>                       if (string == NULL)
>>>> >>                               goto out_nomem;
>>>> >>
>>>> >> -                     if (strnlen(string, 256) == 256) {
>>>> >> +                     if (strnlen(string, MAX_DOMAINNAME_SIZE)
>>>> >> +                                     == MAX_DOMAINNAME_SIZE) {
>>>> >>                               printk(KERN_WARNING "CIFS: domain name too"
>>>> >>                                                   " long\n");
>>>> >>                               goto cifs_parse_mount_err;
>>>> >> @@ -2276,8 +2277,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
>>>> >>
>>>> >>  #ifdef CONFIG_KEYS
>>>> >>
>>>> >> -/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
>>>> >> -#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
>>>> >> +/* strlen("cifs:a:") + MAX_DOMAINNAME_SIZE + 1 */
>>>> >> +#define CIFSCREDS_DESC_SIZE (7 + MAX_DOMAINNAME_SIZE + 1)
>>>> >>
>>>> >>  /* Populate username and pw fields from keyring if possible */
>>>> >>  static int
>>>> >> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
>>>> >> index 79358e3..57b1537 100644
>>>> >> --- a/fs/cifs/sess.c
>>>> >> +++ b/fs/cifs/sess.c
>>>> >> @@ -197,7 +197,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
>>>> >>               bytes_ret = 0;
>>>> >>       } else
>>>> >>               bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
>>>> >> -                                         256, nls_cp);
>>>> >> +                                         MAX_DOMAINNAME_SIZE, nls_cp);
>>>> >>       bcc_ptr += 2 * bytes_ret;
>>>> >>       bcc_ptr += 2;  /* account for null terminator */
>>>> >>
>>>> >> @@ -255,8 +255,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
>>>> >>
>>>> >>       /* copy domain */
>>>> >>       if (ses->domainName != NULL) {
>>>> >> -             strncpy(bcc_ptr, ses->domainName, 256);
>>>> >> -             bcc_ptr += strnlen(ses->domainName, 256);
>>>> >> +             strncpy(bcc_ptr, ses->domainName, MAX_DOMAINNAME_SIZE);
>>>> >> +             bcc_ptr += strnlen(ses->domainName, MAX_DOMAINNAME_SIZE);
>>>> >>       } /* else we will send a null domain name
>>>> >>            so the server will default to its own domain */
>>>> >>       *bcc_ptr = 0;
>>> >
>>> > Looks good...
>>> >
>>> > Reviewed-by: Jeff Layton <jlayton@redhat.com>
>>
>>
>> -- Thanks, Steve
>>
>
>
> --
> Chen Gang

Comments

Scott Lovenberg July 31, 2013, 3:55 p.m. UTC | #1
On Wed, Jul 31, 2013 at 12:59 AM, Steve French <smfrench@gmail.com> wrote:
> I updated the version of the patch slightly which is in cifs-2.6.git
> so we don't have to rename the MAX_DOMAINNAME_SIZE field multiple
> times.  Let me know if you see problems.  It could make Scott's
> followup patch a little easier to understand without the renamed
> #define.
> --
> Thanks,
>
> Steve

+1.  I agree it streamlines the other patch set.
diff mbox

Patch

diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 45e57cc..194f9cc 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -421,7 +421,7 @@  find_domain_name(struct cifs_ses *ses, const
struct nls_table *nls_cp)
 		if (blobptr + attrsize > blobend)
 			break;
 		if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
-			if (!attrsize)
+			if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN)
 				break;
 			if (!ses->domainName) {
 				ses->domainName =
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1fdc370..0e68893 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -44,6 +44,7 @@ 
 #define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
 #define MAX_SERVER_SIZE 15
 #define MAX_SHARE_SIZE 80
+#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */
 #define MAX_USERNAME_SIZE 256	/* reasonable maximum for current servers */
 #define MAX_PASSWORD_SIZE 512	/* max for windows seems to be 256 wide chars */

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index fa68813..d67c550 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1675,7 +1675,8 @@  cifs_parse_mount_options(const char *mountdata,
const char *devname,
 			if (string == NULL)
 				goto out_nomem;

-			if (strnlen(string, 256) == 256) {
+			if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN)
+					== CIFS_MAX_DOMAINNAME_LEN) {
 				printk(KERN_WARNING "CIFS: domain name too"
 						    " long\n");
 				goto cifs_parse_mount_err;
@@ -2276,8 +2277,8 @@  cifs_put_smb_ses(struct cifs_ses *ses)

 #ifdef CONFIG_KEYS

-/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
-#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
+/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */
+#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1)

 /* Populate username and pw fields from keyring if possible */
 static int
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 79358e3..08dd37b 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -197,7 +197,7 @@  static void unicode_domain_string(char
**pbcc_area, struct cifs_ses *ses,
 		bytes_ret = 0;
 	} else
 		bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
-					    256, nls_cp);
+					    CIFS_MAX_DOMAINNAME_LEN, nls_cp);
 	bcc_ptr += 2 * bytes_ret;
 	bcc_ptr += 2;  /* account for null terminator */