Commit f980d055 authored by Len Baker's avatar Len Baker Committed by Steve French

CIFS: Fix a potencially linear read overflow

strlcpy() reads the entire source buffer first. This read may exceed the
destination size limit. This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated.

Also, the strnlen() call does not avoid the read overflow in the strlcpy
function when a not NUL-terminated string is passed.

So, replace this block by a call to kstrndup() that avoids this type of
overflow and does the same.

Fixes: 066ce689 ("cifs: rename cifs_strlcpy_to_host and make it use new functions")
Signed-off-by: default avatarLen Baker <len.baker@gmx.com>
Reviewed-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent e22ce8eb
......@@ -360,12 +360,7 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
NO_MAP_UNI_RSVD);
} else {
len = strnlen(src, maxlen);
len++;
dst = kmalloc(len, GFP_KERNEL);
if (!dst)
return NULL;
strlcpy(dst, src, len);
dst = kstrndup(src, maxlen, GFP_KERNEL);
}
return dst;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment