From patchwork Tue Jul 26 19:03:20 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 1009392 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.4) with ESMTP id p6QJ2wUx026197 for ; Tue, 26 Jul 2011 19:06:48 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753453Ab1GZTD0 (ORCPT ); Tue, 26 Jul 2011 15:03:26 -0400 Received: from mail-gy0-f174.google.com ([209.85.160.174]:56174 "EHLO mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753435Ab1GZTDZ (ORCPT ); Tue, 26 Jul 2011 15:03:25 -0400 Received: by gyh3 with SMTP id 3so491512gyh.19 for ; Tue, 26 Jul 2011 12:03:24 -0700 (PDT) Received: by 10.101.179.8 with SMTP id g8mr5719775anp.7.1311707004589; Tue, 26 Jul 2011 12:03:24 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-076-182-054-018.nc.res.rr.com [76.182.54.18]) by mx.google.com with ESMTPS id p40sm613944ann.7.2011.07.26.12.03.23 (version=SSLv3 cipher=OTHER); Tue, 26 Jul 2011 12:03:23 -0700 (PDT) From: Jeff Layton To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org, jiali@redhat.com Subject: [PATCH] cifs: fix name parsing in CIFSSMBQAllEAs Date: Tue, 26 Jul 2011 15:03:20 -0400 Message-Id: <1311707000-4071-1-git-send-email-jlayton@redhat.com> X-Mailer: git-send-email 1.7.6 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Tue, 26 Jul 2011 19:06:52 +0000 (UTC) The code that matches EA names in CIFSSMBQAllEAs is incorrect. It uses strncmp to do the comparison with the length limited to the name_len sent in the response. Problem: Suppose we're looking for an attribute named "foobar" and have an attribute before it in the EA list named "foo". The comparison will succeed since we're only looking at the first 3 characters. Fix this by also comparing the length of the provided ea_name with the name_len in the response. If they're not equal then it shouldn't match. Reported-by: Jian Li Signed-off-by: Jeff Layton Reviewed-by: Pavel Shilovsky --- fs/cifs/cifssmb.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index c101775..ec796fc 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -5720,6 +5720,7 @@ CIFSSMBQAllEAs(const int xid, struct cifs_tcon *tcon, char *temp_ptr; char *end_of_smb; __u16 params, byte_count, data_offset; + unsigned int ea_name_len; cFYI(1, "In Query All EAs path %s", searchName); QAllEAsRetry: @@ -5814,6 +5815,10 @@ QAllEAsRetry: list_len -= 4; temp_fea = ea_response_data->list; temp_ptr = (char *)temp_fea; + + if (ea_name) + ea_name_len = strlen(ea_name); + while (list_len > 0) { unsigned int name_len; __u16 value_len; @@ -5837,7 +5842,8 @@ QAllEAsRetry: } if (ea_name) { - if (strncmp(ea_name, temp_ptr, name_len) == 0) { + if (ea_name_len == name_len && + strncmp(ea_name, temp_ptr, name_len) == 0) { temp_ptr += name_len + 1; rc = value_len; if (buf_size == 0)