[ 3.8.y.z extended stable ] Patch "cifs: fix potential buffer overrun when composing a new options" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu May 30 20:34:54 UTC 2013 

This is a note to let you know that I have just added a patch titled

    cifs: fix potential buffer overrun when composing a new options

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.2.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From c9ec0a0cea7eba090e3a44ce7d501e167fbbd84b Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton at redhat.com>
Date: Fri, 24 May 2013 07:40:04 -0400
Subject: cifs: fix potential buffer overrun when composing a new options
 string

commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream.

Consider the case where we have a very short ip= string in the original
mount options, and when we chase a referral we end up with a very long
IPv6 address. Be sure to allow for that possibility when estimating the
size of the string to allocate.

Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <sfrench at us.ibm.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 fs/cifs/cifs_dfs_ref.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 210fce2..47c1155 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -18,6 +18,7 @@
 #include <linux/slab.h>
 #include <linux/vfs.h>
 #include <linux/fs.h>
+#include <linux/inet.h>
 #include "cifsglob.h"
 #include "cifsproto.h"
 #include "cifsfs.h"
@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
 	 * assuming that we have 'unc=' and 'ip=' in
 	 * the original sb_mountdata
 	 */
-	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
+	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
+			INET6_ADDRSTRLEN;
 	mountdata = kzalloc(md_len+1, GFP_KERNEL);
 	if (mountdata == NULL) {
 		rc = -ENOMEM;
--
1.8.1.2

More information about the kernel-team mailing list