| Message ID | 1302804056-22865-1-git-send-email-piastry@etersoft.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, 14 Apr 2011 22:00:56 +0400 Pavel Shilovsky <piastry@etersoft.ru> wrote: > While password processing we can get out of options array bound if > the next character after array is delimiter. The patch adds a check > if we reach the end. > > Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> > --- > fs/cifs/connect.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index db9d55b..4bc862a 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -807,8 +807,7 @@ static int > cifs_parse_mount_options(char *options, const char *devname, > struct smb_vol *vol) > { > - char *value; > - char *data; > + char *value, *data, *end; > unsigned int temp_len, i, j; > char separator[2]; > short int override_uid = -1; > @@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname, > if (!options) > return 1; > > + end = options + strlen(options); > if (strncmp(options, "sep=", 4) == 0) { > if (options[4] != 0) { > separator[0] = options[4]; > @@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname, > the only illegal character in a password is null */ > > if ((value[temp_len] == 0) && > + (value + temp_len < end) && > (value[temp_len+1] == separator[0])) { > /* reinsert comma */ > value[temp_len] = separator[0]; Ok, looks plausible. This code to parse out the password really makes me want to vomit though. It would be nice to clean that up. Reviewed-by: Jeff Layton <jlayton@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index db9d55b..4bc862a 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -807,8 +807,7 @@ static int cifs_parse_mount_options(char *options, const char *devname, struct smb_vol *vol) { - char *value; - char *data; + char *value, *data, *end; unsigned int temp_len, i, j; char separator[2]; short int override_uid = -1; @@ -851,6 +850,7 @@ cifs_parse_mount_options(char *options, const char *devname, if (!options) return 1; + end = options + strlen(options); if (strncmp(options, "sep=", 4) == 0) { if (options[4] != 0) { separator[0] = options[4]; @@ -916,6 +916,7 @@ cifs_parse_mount_options(char *options, const char *devname, the only illegal character in a password is null */ if ((value[temp_len] == 0) && + (value + temp_len < end) && (value[temp_len+1] == separator[0])) { /* reinsert comma */ value[temp_len] = separator[0];
While password processing we can get out of options array bound if the next character after array is delimiter. The patch adds a check if we reach the end. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> --- fs/cifs/connect.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)