aboutsummaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorPavel Shilovsky <piastry@etersoft.ru>2011-04-14 22:00:56 +0400
committerGreg Kroah-Hartman <gregkh@suse.de>2011-05-21 15:13:10 -0700
commit0d88dc66b6ca8011870d03b7fb1e65500a02bc4b (patch)
tree6d75a5e5a9656ed2d57ae1359ae7a442b98e6f26 /fs
parenta7d9222022375081576a7909167869a0bf1ed44c (diff)
downloadlinux-linaro-android-0d88dc66b6ca8011870d03b7fb1e65500a02bc4b.tar.gz
CIFS: Fix memory over bound bug in cifs_parse_mount_options
commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream. While password processing we can get out of options array bound if the next character after array is delimiter. The patch adds a check if we reach the end. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/connect.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0fd3855a161..bd7e61fbd27 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -822,8 +822,7 @@ static int
cifs_parse_mount_options(char *options, const char *devname,
struct smb_vol *vol)
{
- char *value;
- char *data;
+ char *value, *data, *end;
unsigned int temp_len, i, j;
char separator[2];
short int override_uid = -1;
@@ -866,6 +865,7 @@ cifs_parse_mount_options(char *options, const char *devname,
if (!options)
return 1;
+ end = options + strlen(options);
if (strncmp(options, "sep=", 4) == 0) {
if (options[4] != 0) {
separator[0] = options[4];
@@ -930,6 +930,7 @@ cifs_parse_mount_options(char *options, const char *devname,
the only illegal character in a password is null */
if ((value[temp_len] == 0) &&
+ (value + temp_len < end) &&
(value[temp_len+1] == separator[0])) {
/* reinsert comma */
value[temp_len] = separator[0];