From patchwork Sat Nov 3 12:50:19 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 1692241 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 04243DFB7B for ; Sat, 3 Nov 2012 12:50:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755634Ab2KCMuo (ORCPT ); Sat, 3 Nov 2012 08:50:44 -0400 Received: from mail-ye0-f174.google.com ([209.85.213.174]:38739 "EHLO mail-ye0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755176Ab2KCMuo (ORCPT ); Sat, 3 Nov 2012 08:50:44 -0400 Received: by mail-ye0-f174.google.com with SMTP id m12so792835yen.19 for ; Sat, 03 Nov 2012 05:50:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references:x-gm-message-state; bh=bKjzr6VBVJgz+HcyR2yulvqgsoesCYNtpMaVlUQGsKA=; b=b+OcoEogPzfd4rBYUypUd5igDFlS5n2wMHVIOwwxp0J0p+zs5oL5SGDfvvalFA7l4V p4rJWLusDjH/Kon8zYnYj/Qi0a94ihyxjq0CXzQCovRXRiLqbDnIH8urKXVhCzoQClZe cHhCOsQaEXHMQihXERJ8+b4EXKT59FYkj+4F29pCGH5Gz+n+6X745aASGzNuGPBrpne5 F01ZIrR6QQ+qlOIqgUMyM/J+nRc57wlACOYGBWzWI2JVpNeZlmAixJ1gLYTtXa5B3DGT TPWQO+yXZOT9yVd58HXVDKa/sxYsh7ARvg8mwwbueRx/hKQoBLaIW2YiMbZh9pYuHlLb LTBQ== Received: by 10.236.144.165 with SMTP id n25mr4384940yhj.61.1351947043517; Sat, 03 Nov 2012 05:50:43 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-107-015-110-129.nc.res.rr.com. [107.15.110.129]) by mx.google.com with ESMTPS id n13sm11145727ano.20.2012.11.03.05.50.42 (version=SSLv3 cipher=OTHER); Sat, 03 Nov 2012 05:50:42 -0700 (PDT) From: Jeff Layton To: linux-cifs@vger.kernel.org Cc: shirishpargaonkar@gmail.com Subject: [PATCH 02/17] setcifsacl: fix overrun of subauths array when copying SIDs Date: Sat, 3 Nov 2012 08:50:19 -0400 Message-Id: <1351947034-18876-3-git-send-email-jlayton@samba.org> X-Mailer: git-send-email 1.7.11.7 In-Reply-To: <1351947034-18876-1-git-send-email-jlayton@samba.org> References: <1351947034-18876-1-git-send-email-jlayton@samba.org> X-Gm-Message-State: ALoCoQkN2fy0aem9IQq8yPIot1T3QqLnivFaZfJ228DAAehiUjL8dQOneT6Mf7ZEvwZSlFwDzPdU Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org copy_sec_desc() copies the owner and group SIDs from one security descriptor to another. Unfortunately, it doesn't take into account the fact that these are variable length and routinely overruns the SID structure when doing this copy and scribbles over the destination ACL. This wasn't noticed before the change in the maximum number of subauths because the code either overwrote the damage afterward, or the overrun part was the same between source and destination anyway. Now that the max number of subauths is 15, it's more noticable. Fix it to only copy the number of subauths that claimed in the buffer instead. Signed-off-by: Jeff Layton --- setcifsacl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setcifsacl.c b/setcifsacl.c index 23ab5b1..e97a35f 100644 --- a/setcifsacl.c +++ b/setcifsacl.c @@ -78,7 +78,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth; for (i = 0; i < NUM_AUTHS; i++) nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i]; - for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) + for (i = 0; i < owner_sid_ptr->num_subauth; i++) nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i]; /* copy group sid */ @@ -89,7 +89,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth; for (i = 0; i < NUM_AUTHS; i++) ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i]; - for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) + for (i = 0; i < group_sid_ptr->num_subauth; i++) ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i]; return;