提交 301a6a31 编写于 作者: S Steve French

[CIFS] Maximum username length check in session setup does not match

Fix length check reported by D. Binderman (see below)

d binderman <dcb314@hotmail.com> wrote:
>
> I just ran the sourceforge tool cppcheck over the source code of the
> new Linux kernel 2.6.33-rc6
>
> It said
>
> [./cifs/sess.c:250]: (error) Buffer access out-of-bounds

May turn out to be harmless, but best to be safe. Note max
username length is defined to 32 due to Linux (Windows
maximum is 20).
Signed-off-by: NSteve French <sfrench@us.ibm.com>
上级 f12f98db
...@@ -223,9 +223,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, ...@@ -223,9 +223,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
/* null user mount */ /* null user mount */
*bcc_ptr = 0; *bcc_ptr = 0;
*(bcc_ptr+1) = 0; *(bcc_ptr+1) = 0;
} else { /* 300 should be long enough for any conceivable user name */ } else {
bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName, bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName,
300, nls_cp); MAX_USERNAME_SIZE, nls_cp);
} }
bcc_ptr += 2 * bytes_ret; bcc_ptr += 2 * bytes_ret;
bcc_ptr += 2; /* account for null termination */ bcc_ptr += 2; /* account for null termination */
...@@ -246,11 +246,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, ...@@ -246,11 +246,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses,
/* copy user */ /* copy user */
if (ses->userName == NULL) { if (ses->userName == NULL) {
/* BB what about null user mounts - check that we do this BB */ /* BB what about null user mounts - check that we do this BB */
} else { /* 300 should be long enough for any conceivable user name */ } else {
strncpy(bcc_ptr, ses->userName, 300); strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE);
} }
/* BB improve check for overflow */ bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE);
bcc_ptr += strnlen(ses->userName, 300);
*bcc_ptr = 0; *bcc_ptr = 0;
bcc_ptr++; /* account for null termination */ bcc_ptr++; /* account for null termination */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册