| Message ID | 1370008818-9427-1-git-send-email-jlayton@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
merged into cifs-2.6.git for-3.10 (and also in for-3.11 tree) (also updated for 3.11 and equivalently for-next with another patch "cifs: remove the cifs_ses->flags field" and continuing to work through your large auth update patch series) On Fri, May 31, 2013 at 9:00 AM, Jeff Layton <jlayton@redhat.com> wrote: > commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed > the code such that the vol->prepath no longer contained a leading > delimiter and then fixed up the places that accessed that field to > account for that change. > > One spot in build_unc_path_to_root was missed however. When doing the > pointer addition on pos, that patch failed to account for the fact that > we had already incremented "pos" by one when adding the length of the > prepath. This caused a buffer overrun by one byte. > > This patch fixes the problem by correcting the handling of "pos". > > Cc: <stable@vger.kernel.org> # v3.8+ > Reported-by: Marcus Moeller <marcus.moeller@gmx.ch> > Reported-by: Ken Fallon <ken.fallon@gmail.com> > Signed-off-by: Jeff Layton <jlayton@redhat.com> > --- > fs/cifs/connect.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index 5b97e56..e3bc39b 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -3279,8 +3279,8 @@ build_unc_path_to_root(const struct smb_vol *vol, > pos = full_path + unc_len; > > if (pplen) { > - *pos++ = CIFS_DIR_SEP(cifs_sb); > - strncpy(pos, vol->prepath, pplen); > + *pos = CIFS_DIR_SEP(cifs_sb); > + strncpy(pos + 1, vol->prepath, pplen); > pos += pplen; > } > > -- > 1.8.1.4 >
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 5b97e56..e3bc39b 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -3279,8 +3279,8 @@ build_unc_path_to_root(const struct smb_vol *vol, pos = full_path + unc_len; if (pplen) { - *pos++ = CIFS_DIR_SEP(cifs_sb); - strncpy(pos, vol->prepath, pplen); + *pos = CIFS_DIR_SEP(cifs_sb); + strncpy(pos + 1, vol->prepath, pplen); pos += pplen; }
commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed the code such that the vol->prepath no longer contained a leading delimiter and then fixed up the places that accessed that field to account for that change. One spot in build_unc_path_to_root was missed however. When doing the pointer addition on pos, that patch failed to account for the fact that we had already incremented "pos" by one when adding the length of the prepath. This caused a buffer overrun by one byte. This patch fixes the problem by correcting the handling of "pos". Cc: <stable@vger.kernel.org> # v3.8+ Reported-by: Marcus Moeller <marcus.moeller@gmx.ch> Reported-by: Ken Fallon <ken.fallon@gmail.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> --- fs/cifs/connect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)