From patchwork Mon Apr 20 13:24:21 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Suresh Jayaraman <sjayaraman@suse.de>
X-Patchwork-Id: 19013
Received: from lists.samba.org (mail.samba.org [66.70.73.150])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n3KDOriG023593
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 20 Apr 2009 13:24:53 GMT
Received: from dp.samba.org (localhost [127.0.0.1])
	by lists.samba.org (Postfix) with ESMTP id 3D342163C5B
	for <patchwork-cifs-client@patchwork.kernel.org>;
	Mon, 20 Apr 2009 13:24:31 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on dp.samba.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=3.8 tests=AWL, BAYES_00 autolearn=ham
	version=3.1.7
X-Original-To: linux-cifs-client@lists.samba.org
Delivered-To: linux-cifs-client@lists.samba.org
Received: from victor.provo.novell.com (victor.provo.novell.com
	[137.65.250.26])
	by lists.samba.org (Postfix) with ESMTP id C60EF163B5C
	for <linux-cifs-client@lists.samba.org>;
	Mon, 20 Apr 2009 13:24:11 +0000 (GMT)
Received: from [164.99.138.63] (prv-ext-foundry1.gns.novell.com
	[137.65.251.240])
	by victor.provo.novell.com with ESMTP; Mon, 20 Apr 2009 07:24:27 -0600
Message-ID: <49EC7785.2080304@suse.de>
Date: Mon, 20 Apr 2009 18:54:21 +0530
From: Suresh Jayaraman <sjayaraman@suse.de>
User-Agent: Thunderbird 2.0.0.19 (X11/20081227)
MIME-Version: 1.0
To: Steve French <smfrench@gmail.com>
X-Enigmail-Version: 0.95.7
Cc: "linux-cifs-client@lists.samba.org" <linux-cifs-client@lists.samba.org>,
	Jeff Layton <jlayton@redhat.com>
Subject: [linux-cifs-client] [PATCH 1/2] cifs: Rename cifs_strncpy_to_host
	and fix buffer size
X-BeenThere: linux-cifs-client@lists.samba.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Linux CIFS VFS client <linux-cifs-client.lists.samba.org>
List-Unsubscribe: 
 <https://lists.samba.org/mailman/listinfo/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=unsubscribe>
List-Archive: <http://lists.samba.org/archive/linux-cifs-client>
List-Post: <mailto:linux-cifs-client@lists.samba.org>
List-Help: <mailto:linux-cifs-client-request@lists.samba.org?subject=help>
List-Subscribe: <https://lists.samba.org/mailman/listinfo/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=subscribe>
Sender: 
 linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org
Errors-To: 
 linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org

There is a possibility for the path_name and node_name buffers to
overflow if they contain charcters that are >2 bytes in the local
charset. Resize the buffer allocation so to avoid this possibility.

Also, as pointed out by Jeff Layton, it would be appropriate to
rename the function to cifs_strlcpy_to_host to reflect the fact
that the copied string is always NULL terminated.


Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Acked-by: Jeff Layton <jlayton@redhat.com>
---
 fs/cifs/cifssmb.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index a0845dc..a02c43b 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -88,29 +88,29 @@ static struct {
  *	on failure - errno
  */
 static int
-cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
+cifs_strlcpy_to_host(char **dst, const char *src, const int maxlen,
 		 const bool is_unicode, const struct nls_table *nls_codepage)
 {
 	int plen;
 
 	if (is_unicode) {
 		plen = UniStrnlen((wchar_t *)src, maxlen);
-		*dst = kmalloc(plen + 2, GFP_KERNEL);
+		*dst = kmalloc((4 * plen) + 2, GFP_KERNEL);
 		if (!*dst)
-			goto cifs_strncpy_to_host_ErrExit;
+			goto cifs_strlcpy_to_host_ErrExit;
 		cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
+		(*dst)[plen] = 0;
+		(*dst)[plen+1] = 0; /* needed for Unicode */
 	} else {
 		plen = strnlen(src, maxlen);
 		*dst = kmalloc(plen + 2, GFP_KERNEL);
 		if (!*dst)
-			goto cifs_strncpy_to_host_ErrExit;
-		strncpy(*dst, src, plen);
+			goto cifs_strlcpy_to_host_ErrExit;
+		strlcpy(*dst, src, plen);
 	}
-	(*dst)[plen] = 0;
-	(*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
 	return 0;
 
-cifs_strncpy_to_host_ErrExit:
+cifs_strlcpy_to_host_ErrExit:
 	cERROR(1, ("Failed to allocate buffer for string\n"));
 	return -ENOMEM;
 }
@@ -4029,7 +4029,7 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
 		/* copy DfsPath */
 		temp = (char *)ref + le16_to_cpu(ref->DfsPathOffset);
 		max_len = data_end - temp;
-		rc = cifs_strncpy_to_host(&(node->path_name), temp,
+		rc = cifs_strlcpy_to_host(&(node->path_name), temp,
 					max_len, is_unicode, nls_codepage);
 		if (rc)
 			goto parse_DFS_referrals_exit;
@@ -4037,7 +4037,7 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
 		/* copy link target UNC */
 		temp = (char *)ref + le16_to_cpu(ref->NetworkAddressOffset);
 		max_len = data_end - temp;
-		rc = cifs_strncpy_to_host(&(node->node_name), temp,
+		rc = cifs_strlcpy_to_host(&(node->node_name), temp,
 					max_len, is_unicode, nls_codepage);
 		if (rc)
 			goto parse_DFS_referrals_exit;