mirror of
https://github.com/torvalds/linux
synced 2024-09-21 19:47:35 +00:00
CIFS: Fix a potencially linear read overflow
strlcpy() reads the entire source buffer first. This read may exceed the
destination size limit. This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated.
Also, the strnlen() call does not avoid the read overflow in the strlcpy
function when a not NUL-terminated string is passed.
So, replace this block by a call to kstrndup() that avoids this type of
overflow and does the same.
Fixes: 066ce68994
("cifs: rename cifs_strlcpy_to_host and make it use new functions")
Signed-off-by: Len Baker <len.baker@gmx.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
This commit is contained in:
parent
e22ce8eb63
commit
f980d055a0
|
@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
|
|||
if (!dst)
|
||||
return NULL;
|
||||
cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
|
||||
NO_MAP_UNI_RSVD);
|
||||
NO_MAP_UNI_RSVD);
|
||||
} else {
|
||||
len = strnlen(src, maxlen);
|
||||
len++;
|
||||
dst = kmalloc(len, GFP_KERNEL);
|
||||
if (!dst)
|
||||
return NULL;
|
||||
strlcpy(dst, src, len);
|
||||
dst = kstrndup(src, maxlen, GFP_KERNEL);
|
||||
}
|
||||
|
||||
return dst;
|
||||
|
|
Loading…
Reference in a new issue