[stable] Patch "CIFS: Fix memory over bound bug in cifs_parse_mount_options" has been added to the 2.6.33-longterm tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    CIFS: Fix memory over bound bug in cifs_parse_mount_options

to the 2.6.33-longterm tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.33.git;a=summary

The filename of the patch is:
     cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch
and it can be found in the queue-2.6.33 subdirectory.

If you, or anyone else, feels it should not be added to the 2.6.33 longterm 
tree,
please let <sta...@kernel.org> know about it.


>From 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d Mon Sep 17 00:00:00 2001
From: Pavel Shilovsky <pias...@etersoft.ru>
Date: Thu, 14 Apr 2011 22:00:56 +0400
Subject: CIFS: Fix memory over bound bug in cifs_parse_mount_options

From: Pavel Shilovsky <pias...@etersoft.ru>

commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <pias...@etersoft.ru>
Reviewed-by: Jeff Layton <jlay...@redhat.com>
Signed-off-by: Steve French <sfre...@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 fs/cifs/connect.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -799,8 +799,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
                         struct smb_vol *vol)
 {
-       char *value;
-       char *data;
+       char *value, *data, *end;
        unsigned int  temp_len, i, j;
        char separator[2];
        short int override_uid = -1;
@@ -843,6 +842,7 @@ cifs_parse_mount_options(char *options,
        if (!options)
                return 1;
 
+       end = options + strlen(options);
        if (strncmp(options, "sep=", 4) == 0) {
                if (options[4] != 0) {
                        separator[0] = options[4];
@@ -907,6 +907,7 @@ cifs_parse_mount_options(char *options,
                        the only illegal character in a password is null */
 
                        if ((value[temp_len] == 0) &&
+                           (value + temp_len < end) &&
                            (value[temp_len+1] == separator[0])) {
                                /* reinsert comma */
                                value[temp_len] = separator[0];


Patches currently in longterm-queue-2.6.33 which might be from 
pias...@etersoft.ru are

/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/cifs-fix-memory-over-bound-bug-in-cifs_parse_mount_options.patch

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable