CIFS: Fix memory over bound bug in cifs_parse_mount_options While password processing we can get out of options array bound if the next character after array is delimiter. The patch adds a check if we reach the end. Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>

commit: 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d [log] [tgz]
author: Pavel Shilovsky <piastry@etersoft.ru> Thu Apr 14 22:00:56 2011 +0400
committer: Steve French <sfrench@us.ibm.com> Thu Apr 21 17:22:43 2011 +0000
tree: db956af25beeca260ca69f1c69b79bb9f2f906b6
parent: f0e615c3cb72b42191b558c130409335812621d8 [diff] [blame]
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index db9d55b..4bc862a 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c

@@ -807,8 +807,7 @@
 cifs_parse_mount_options(char *options, const char *devname,
 			 struct smb_vol *vol)
 {
-	char *value;
-	char *data;
+	char *value, *data, *end;
 	unsigned int  temp_len, i, j;
 	char separator[2];
 	short int override_uid = -1;
@@ -851,6 +850,7 @@
 	if (!options)
 		return 1;
 
+	end = options + strlen(options);
 	if (strncmp(options, "sep=", 4) == 0) {
 		if (options[4] != 0) {
 			separator[0] = options[4];
@@ -916,6 +916,7 @@
 			the only illegal character in a password is null */
 
 			if ((value[temp_len] == 0) &&
+			    (value + temp_len < end) &&
 			    (value[temp_len+1] == separator[0])) {
 				/* reinsert comma */
 				value[temp_len] = separator[0];
commit	4906e50b37e6f6c264e7ee4237343eb2b7f8d16d	[log] [tgz]
author	Pavel Shilovsky <piastry@etersoft.ru>	Thu Apr 14 22:00:56 2011 +0400
committer	Steve French <sfrench@us.ibm.com>	Thu Apr 21 17:22:43 2011 +0000
tree	db956af25beeca260ca69f1c69b79bb9f2f906b6
parent	f0e615c3cb72b42191b558c130409335812621d8 [diff] [blame]