From patchwork Thu May 23 20:37:24 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 2608891 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 51E6FDFB78 for ; Thu, 23 May 2013 20:37:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758293Ab3EWUha (ORCPT ); Thu, 23 May 2013 16:37:30 -0400 Received: from mail-qe0-f52.google.com ([209.85.128.52]:42451 "EHLO mail-qe0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757883Ab3EWUh3 (ORCPT ); Thu, 23 May 2013 16:37:29 -0400 Received: by mail-qe0-f52.google.com with SMTP id 1so2152756qec.25 for ; Thu, 23 May 2013 13:37:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer :x-gm-message-state; bh=PsjYUBPHo//vdAD4FJZ2Qb79JTrLey8vBWah7TGNFgc=; b=cd/4jGiT/I/Vqm2jJNv6TqMSKt4FSmYqRkH+/WhFXAJALDzeH+oJLaTAEaQyB5Zyc3 TxmyKFjDsiHTbUFmejdHHW2WaLS0LDpwAswoCr9cmPwc7wfu9Nypy+0uQ8zwaUajlJ/A WqCiSGVKF2shRo+cwrknTM96EuLskQ8/pyMbBaJpCdA/+PmTAE5YKjSpXi0VIjjChpo5 py1eQ0TpCuwVER7C6Y4xF91NHdPUB6kqIpCo2v7iLA9bPBKUVYZRiG3IXU0CcK0oip1T WkkYZpTDBh/7ZO+NRKwXOmshtkO8izt59XH4vEIlvmKmkC4S/N0+YVi1xKsp4F61Og03 yn0g== X-Received: by 10.224.37.134 with SMTP id x6mr13006227qad.98.1369341448957; Thu, 23 May 2013 13:37:28 -0700 (PDT) Received: from salusa.poochiereds.net (cpe-107-015-113-143.nc.res.rr.com. [107.15.113.143]) by mx.google.com with ESMTPSA id c10sm13673820qao.10.2013.05.23.13.37.27 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 23 May 2013 13:37:28 -0700 (PDT) From: Jeff Layton To: smfrench@gmail.com Cc: linux-cifs@vger.kernel.org Subject: [PATCH] cifs: fix potential buffer overrun when composing a new options string Date: Thu, 23 May 2013 16:37:24 -0400 Message-Id: <1369341444-23493-1-git-send-email-jlayton@redhat.com> X-Mailer: git-send-email 1.8.1.4 X-Gm-Message-State: ALoCoQkLkzcjNcWteMd0enhH/8BefmfB9zxeuaDNMUXftlROqp/pgyPDfJTeCVwAiT/RYsQg+SZ9 Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Consider the case where we have a very short ip= string in the original mount options, and when we chase a referral we end up with a very long IPv6 address. Be sure to allow for that possibility when estimating the size of the string to allocate. Cc: Signed-off-by: Jeff Layton --- fs/cifs/cifs_dfs_ref.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c index 8e33ec6..8e5a181 100644 --- a/fs/cifs/cifs_dfs_ref.c +++ b/fs/cifs/cifs_dfs_ref.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "cifsglob.h" #include "cifsproto.h" #include "cifsfs.h" @@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata, * assuming that we have 'unc=' and 'ip=' in * the original sb_mountdata */ - md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12; + md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 + + INET6_ADDRSTRLEN; mountdata = kzalloc(md_len+1, GFP_KERNEL); if (mountdata == NULL) { rc = -ENOMEM;