diff options
| author | Pavel Shilovsky <piastry@etersoft.ru> | 2011-04-14 22:00:56 +0400 |
|---|---|---|
| committer | Andi Kleen <ak@linux.intel.com> | 2011-08-01 13:54:48 -0700 |
| commit | f3b60ef4bcc7b233a816df5fded90e1ba99d47d6 (patch) | |
| tree | 6e5592b1e6c1dc91883e9afb4699d688353b246c /fs | |
| parent | 92f9dab23e4e424f28c6aca43cd2611b0b301965 (diff) | |
CIFS: Fix memory over bound bug in cifs_parse_mount_options
commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.
While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.
Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/cifs/connect.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 50d60cc80ce8..a30b080490ed 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -801,8 +801,7 @@ static int cifs_parse_mount_options(char *options, const char *devname, struct smb_vol *vol) { - char *value; - char *data; + char *value, *data, *end; unsigned int temp_len, i, j; char separator[2]; short int override_uid = -1; @@ -845,6 +844,7 @@ cifs_parse_mount_options(char *options, const char *devname, if (!options) return 1; + end = options + strlen(options); if (strncmp(options, "sep=", 4) == 0) { if (options[4] != 0) { separator[0] = options[4]; @@ -909,6 +909,7 @@ cifs_parse_mount_options(char *options, const char *devname, the only illegal character in a password is null */ if ((value[temp_len] == 0) && + (value + temp_len < end) && (value[temp_len+1] == separator[0])) { /* reinsert comma */ value[temp_len] = separator[0]; |