summaryrefslogtreecommitdiff
path: root/fs/cifs
diff options
context:
space:
mode:
authorSuresh Jayaraman <sjayaraman@suse.de>2009-05-09 11:26:44 +0530
committerGreg Kroah-Hartman <gregkh@suse.de>2009-05-19 22:20:13 -0700
commitbd80f2c19e0bb66817d0c57015ea685d555ec2df (patch)
treed2794983d33b8c588497ac59b19a718c71276857 /fs/cifs
parentf1e9ce644becc2ff8865a3abb43dcfadefef093f (diff)
cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host
Relevant commits 968460ebd8006d55661dec0fb86712b40d71c413 and 066ce6899484d9026acd6ba3a8dbbedb33d7ae1b. Minimal hunks to fix buffer size and fix an existing problem pointed out by Guenter Kukuk that length of src is used for NULL termination of dst. cifs: Rename cifs_strncpy_to_host and fix buffer size There is a possibility for the path_name and node_name buffers to overflow if they contain charcters that are >2 bytes in the local charset. Resize the buffer allocation so to avoid this possibility. Also, as pointed out by Jeff Layton, it would be appropriate to rename the function to cifs_strlcpy_to_host to reflect the fact that the copied string is always NULL terminated. Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs/cifs')
-rw-r--r--fs/cifs/cifssmb.c17
1 files changed, 8 insertions, 9 deletions
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 9231e0a5ebb5..cff0c5317147 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -91,23 +91,22 @@ static int
cifs_strncpy_to_host(char **dst, const char *src, const int maxlen,
const bool is_unicode, const struct nls_table *nls_codepage)
{
- int plen;
+ int src_len, dst_len;
if (is_unicode) {
- plen = UniStrnlen((wchar_t *)src, maxlen);
- *dst = kmalloc(plen + 2, GFP_KERNEL);
+ src_len = UniStrnlen((wchar_t *)src, maxlen);
+ *dst = kmalloc((4 * src_len) + 2, GFP_KERNEL);
if (!*dst)
goto cifs_strncpy_to_host_ErrExit;
- cifs_strfromUCS_le(*dst, (__le16 *)src, plen, nls_codepage);
+ dst_len = cifs_strfromUCS_le(*dst, (__le16 *)src, src_len, nls_codepage);
+ (*dst)[dst_len + 1] = 0;
} else {
- plen = strnlen(src, maxlen);
- *dst = kmalloc(plen + 2, GFP_KERNEL);
+ src_len = strnlen(src, maxlen);
+ *dst = kmalloc(src_len + 1, GFP_KERNEL);
if (!*dst)
goto cifs_strncpy_to_host_ErrExit;
- strncpy(*dst, src, plen);
+ strlcpy(*dst, src, src_len + 1);
}
- (*dst)[plen] = 0;
- (*dst)[plen+1] = 0; /* harmless for ASCII case, needed for Unicode */
return 0;
cifs_strncpy_to_host_ErrExit: