Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 9438fabb73eb48055b58b89fc51e0bc4db22fabd
commit9438fabb73eb48055b58b89fc51e0bc4db22fabd[log] [tgz]
authorJeff Layton <jlayton@redhat.com>Tue Aug 23 07:21:28 2011 -0400
committerSteve French <sfrench@us.ibm.com>Mon Sep 19 21:14:40 2011 -0500
treed8cb3ac7c9e9e3ead5e57b9e362bd2a7084781a4
parent9d037a777695993ec7437e5f451647dea7919d4c [diff]
cifs: fix possible memory corruption in CIFSFindNext

The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.

If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.

Fix this by making the name_len an unsigned value in CIFSFindNext.

Cc: <stable@kernel.org>
Reported-by: Darren Lavender <dcl@hppine99.gbr.hp.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
1 file changed
tree: d8cb3ac7c9e9e3ead5e57b9e362bd2a7084781a4
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS