@@ -78,7 +78,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
for (i = 0; i < NUM_AUTHS; i++)
nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
- for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+ for (i = 0; i < owner_sid_ptr->num_subauth; i++)
nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
/* copy group sid */
@@ -89,7 +89,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
for (i = 0; i < NUM_AUTHS; i++)
ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
- for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+ for (i = 0; i < group_sid_ptr->num_subauth; i++)
ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
return;
copy_sec_desc() copies the owner and group SIDs from one security descriptor to another. Unfortunately, it doesn't take into account the fact that these are variable length and routinely overruns the SID structure when doing this copy and scribbles over the destination ACL. This wasn't noticed before the change in the maximum number of subauths because the code either overwrote the damage afterward, or the overrun part was the same between source and destination anyway. Now that the max number of subauths is 15, it's more noticable. Fix it to only copy the number of subauths that claimed in the buffer instead. Signed-off-by: Jeff Layton <jlayton@samba.org> --- setcifsacl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)