[patch 16/28] cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows

From: Greg KH
Date: Thu May 14 2009 - 19:12:45 EST

Next message: Jason Wessel: "[PATCH] sysrq, intel_fb: fix sysrq g collision"
Previous message: Greg KH: "[patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host"
In reply to: Greg KH: "[patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.27-stable review patch. If anyone has any objections, please let us know.

------------------

From: Suresh Jayaraman <sjayaraman@xxxxxxx>

Commit 7b0c8fcff47a885743125dd843db64af41af5a61 refreshed and use
a #define from commit f58841666bc22e827ca0dcef7b71c7bc2758ce82.

cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows

Increase size of tmp_buf to possible maximum to avoid potential
overflows. Also moved UNICODE_NAME_MAX definition so that it can be used
elsewhere.

Pointed-out-by: Jeff Layton <jlayton@xxxxxxxxxx>
Signed-off-by: Suresh Jayaraman <sjayaraman@xxxxxxx>
Acked-by: Jeff Layton <jlayton@xxxxxxxxxx>
Signed-off-by: Steve French <sfrench@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
fs/cifs/cifs_unicode.h | 7 +++++++
fs/cifs/readdir.c | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)

--- a/fs/cifs/cifs_unicode.h
+++ b/fs/cifs/cifs_unicode.h
@@ -64,6 +64,13 @@ int cifs_strtoUCS(__le16 *, const char *
#endif

/*
+ * To be safe - for UCS to UTF-8 with strings loaded with the rare long
+ * characters alloc more to account for such multibyte target UTF-8
+ * characters.
+ */
+#define UNICODE_NAME_MAX ((4 * NAME_MAX) + 2)
+
+/*
* UniStrcat: Concatenate the second string to the first
*
* Returns:
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -1075,7 +1075,7 @@ int cifs_readdir(struct file *file, void
with the rare long characters alloc more to account for
such multibyte target UTF-8 characters. cifs_unicode.c,
which actually does the conversion, has the same limit */
- tmp_buf = kmalloc((2 * NAME_MAX) + 4, GFP_KERNEL);
+ tmp_buf = kmalloc(UNICODE_NAME_MAX, GFP_KERNEL);
for (i = 0; (i < num_to_fill) && (rc == 0); i++) {
if (current_entry == NULL) {
/* evaluate whether this case is an error */

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jason Wessel: "[PATCH] sysrq, intel_fb: fix sysrq g collision"
Previous message: Greg KH: "[patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host"
In reply to: Greg KH: "[patch 17/28] cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]