Patch "cifs: fix off-by-one bug in build_unc_path_to_root" has been added to the 3.9-stable tree

Mon, 10 Jun 2013 11:16:41 -0700 

This is a note to let you know that I've just added the patch titled

    cifs: fix off-by-one bug in build_unc_path_to_root

to the 3.9-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-fix-off-by-one-bug-in-build_unc_path_to_root.patch
and it can be found in the queue-3.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 1fc29bacedeabb278080e31bb9c1ecb49f143c3b Mon Sep 17 00:00:00 2001
From: Jeff Layton <[email protected]>
Date: Fri, 31 May 2013 10:00:18 -0400
Subject: cifs: fix off-by-one bug in build_unc_path_to_root

From: Jeff Layton <[email protected]>

commit 1fc29bacedeabb278080e31bb9c1ecb49f143c3b upstream.

commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed
the code such that the vol->prepath no longer contained a leading
delimiter and then fixed up the places that accessed that field to
account for that change.

One spot in build_unc_path_to_root was missed however. When doing the
pointer addition on pos, that patch failed to account for the fact that
we had already incremented "pos" by one when adding the length of the
prepath. This caused a buffer overrun by one byte.

This patch fixes the problem by correcting the handling of "pos".

Reported-by: Marcus Moeller <[email protected]>
Reported-by: Ken Fallon <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 fs/cifs/connect.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3332,8 +3332,8 @@ build_unc_path_to_root(const struct smb_
        pos = full_path + unc_len;
 
        if (pplen) {
-               *pos++ = CIFS_DIR_SEP(cifs_sb);
-               strncpy(pos, vol->prepath, pplen);
+               *pos = CIFS_DIR_SEP(cifs_sb);
+               strncpy(pos + 1, vol->prepath, pplen);
                pos += pplen;
        }
 


Patches currently in stable-queue which might be from [email protected] are

queue-3.9/cifs-fix-off-by-one-bug-in-build_unc_path_to_root.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to