| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Feb 2016 18:14:21 -0600
From: Steve French <smfrench@...il.com>
To: Insu Yun <wuninsu@...il.com>
Cc: Steve French <sfrench@...ba.org>,
"linux-cifs@...r.kernel.org" <linux-cifs@...r.kernel.org>,
samba-technical <samba-technical@...ts.samba.org>,
LKML <linux-kernel@...r.kernel.org>, taesoo@...ech.edu,
yeongjin.jang@...ech.edu, insu@...ech.edu, changwoo@...ech.edu
Subject: Re: [PATCH] cifs: fix potential overflow in cifs_compose_mount_options
On Mon, Feb 1, 2016 at 10:34 AM, Insu Yun <wuninsu@...il.com> wrote:
> In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
> Therefore, for safe, it is better to add more size when allocating memory.
>
> Signed-off-by: Insu Yun <wuninsu@...il.com>
> ---
> fs/cifs/cifs_dfs_ref.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
> index 7dc886c..e956cba 100644
> --- a/fs/cifs/cifs_dfs_ref.c
> +++ b/fs/cifs/cifs_dfs_ref.c
> @@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
> * string to the length of the original string to allow for worst case.
> */
> md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
> - mountdata = kzalloc(md_len + 1, GFP_KERNEL);
> + mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
> if (mountdata == NULL) {
> rc = -ENOMEM;
> goto compose_mount_options_err;
Not likely to be reproducible in practice (since ip= is already in the
sb_mountdata) but in case mount.cifs was missing and ip= was missing from
the original mount string, might as well add it.
Merged into cifs-2.6.git
--
Thanks,
Steve
Powered by blists - more mailing lists