Re: [PATCH] cifs: fix potential overflow in cifs_compose_mount_options

From: Steve French
Date: Wed Feb 10 2016 - 19:14:47 EST


On Mon, Feb 1, 2016 at 10:34 AM, Insu Yun <wuninsu@xxxxxxxxx> wrote:
> In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
> Therefore, for safe, it is better to add more size when allocating memory.
>
> Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx>
> ---
> fs/cifs/cifs_dfs_ref.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
> index 7dc886c..e956cba 100644
> --- a/fs/cifs/cifs_dfs_ref.c
> +++ b/fs/cifs/cifs_dfs_ref.c
> @@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
> * string to the length of the original string to allow for worst case.
> */
> md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
> - mountdata = kzalloc(md_len + 1, GFP_KERNEL);
> + mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
> if (mountdata == NULL) {
> rc = -ENOMEM;
> goto compose_mount_options_err;

Not likely to be reproducible in practice (since ip= is already in the
sb_mountdata) but in case mount.cifs was missing and ip= was missing from
the original mount string, might as well add it.

Merged into cifs-2.6.git


--
Thanks,

Steve