aboutsummaryrefslogtreecommitdiff
path: root/fs/cifs
diff options
context:
space:
mode:
authorJeff Layton2009-04-16 11:21:52 -0400
committerSteve French2009-04-17 01:26:50 +0000
commitf083def68f84b04fe3f97312498911afce79609e (patch)
treef7550b49ad4b364f542dd1afe1bd2736fd34485f /fs/cifs
parent27b87fe52baba0a55e9723030e76fce94fabcea4 (diff)
cifs: fix buffer size for tcon->nativeFileSystem field
The buffer for this was resized recently to fix a bug. It's still possible however that a malicious server could overflow this field by sending characters in it that are >2 bytes in the local charset. Double the size of the buffer to account for this possibility. Also get rid of some really strange and seemingly pointless NULL termination. It's NULL terminating the string in the source buffer, but by the time that happens, we've already copied the string. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/cifs')
-rw-r--r--fs/cifs/connect.c7
1 files changed, 2 insertions, 5 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 01e280cab066..1a93604d98f6 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3756,16 +3756,13 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
BCC(smb_buffer_response)) {
kfree(tcon->nativeFileSystem);
tcon->nativeFileSystem =
- kzalloc(2*(length + 1), GFP_KERNEL);
+ kzalloc((4 * length) + 2, GFP_KERNEL);
if (tcon->nativeFileSystem)
cifs_strfromUCS_le(
tcon->nativeFileSystem,
(__le16 *) bcc_ptr,
length, nls_codepage);
- bcc_ptr += 2 * length;
- bcc_ptr[0] = 0; /* null terminate the string */
- bcc_ptr[1] = 0;
- bcc_ptr += 2;
+ bcc_ptr += (2 * length) + 2;
}
/* else do not bother copying these information fields*/
} else {