Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2686548yba; Mon, 6 May 2019 09:59:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqwxafhX3qtHkmbtG4xlxVxM0wnHIst5QjU9lAu6S0W5bk/eGxUmTKjDnxkoFyCLkafStI3+ X-Received: by 2002:a62:d5c9:: with SMTP id d192mr33789367pfg.109.1557161968246; Mon, 06 May 2019 09:59:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557161968; cv=none; d=google.com; s=arc-20160816; b=XItesA9dG5j+hiZJFXH3skLgkwpFoiwZaze1oJXOqRuNvLejBROcxoEA2VutKgy5jm a7lWt+pWmoILz7KVp923mFkw+9b2DVzHuylCEQFYBFLTfBZ7Lswk4QCclafxlgMNRbr4 /cumxECEo9tjYrWq0LEeC4JBFd2fC1vYGPQvc3BIiF7I5wIbonKUpZUeKX8I0fz2qcLj EgrGwG7w9ECoFtbhqJvAQw655K354+4E6EiqAJ/glE+TrxtZ2bxRU+DgNHkp/A6dxauf +5zEJEkwtitHISTdMwkHLmk7ledZijz+QUZUof6dNvO+aoYCbJi/xpYeS6o8TUbsskkE lUvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=sIeWRsQrjfl5uiGG2Afv8XyEcWfXKzvrjMXyJwlUSgs=; b=xHVBiM6oFc55poq3B7JfsAlL9Pn4xC/ggADxLg+tCfL/rBu2LcMsw06yQ8v0QXzf4U YJvyjkFG3iDBZCkEw6KUUx3Qvv7dGDsAeQg+UL3vIUbczSSS4T5HxKOj3SWw1dJJSLMQ vETiyXi2FqbCilfo3OjQ7iHgYmMY0fjNH3eip+zW8GQA8k6ATBa6D+wSnlsRjadg8OBQ KRntM+LCuIP/MNrjAuozdmjIzprZ5r54bKZjHYBg4dVIC48pupx0FGgSaLx5jk/mn0+s HbiwZu2EsEfHjjAuNexzxl5MdgwSRDAjw+IQCX9nHqfWRo3SCaYlg/kj6BqXY5jbN7IG l9kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samba.org header.s=42627210 header.b=QotzqNtj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=samba.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z9si6265194pgi.341.2019.05.06.09.59.11; Mon, 06 May 2019 09:59:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samba.org header.s=42627210 header.b=QotzqNtj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=samba.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727014AbfEFQ5F (ORCPT + 99 others); Mon, 6 May 2019 12:57:05 -0400 Received: from hr2.samba.org ([144.76.82.148]:38120 "EHLO hr2.samba.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726094AbfEFQ5E (ORCPT ); Mon, 6 May 2019 12:57:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Message-ID:Cc:To:From:Date; bh=sIeWRsQrjfl5uiGG2Afv8XyEcWfXKzvrjMXyJwlUSgs=; b=QotzqNtjAKaav33thlCTI2Hwte bjtFIAyRnHZa2j1wF9E4CcF3LQGfrLiNrlrCgiilCXSUgs72o7eyyI5nhqw5thxFGNSVXC925r6cL zvTKkzRBoNhCu4M5Q62OQ0EnAORwq4FV820kgcWxrVAlcq7gfht/07poI8M0Aal5ui/s=; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1hNgvF-0007UB-DL; Mon, 06 May 2019 16:57:01 +0000 Date: Mon, 6 May 2019 09:56:58 -0700 From: Jeremy Allison To: Steve French Cc: Christoph Probst , Steve French , CIFS , samba-technical , LKML Subject: Re: [PATCH] cifs: fix strcat buffer overflow in smb21_set_oplock_level() Message-ID: <20190506165658.GA168433@jra4> Reply-To: Jeremy Allison References: <1557155792-2703-1-git-send-email-kernel@probst.it> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 06, 2019 at 11:53:44AM -0500, Steve French via samba-technical wrote: > I think strcpy is clearer - but I don't think it can overflow since if > R, W or W were written to "message" then cinode->oplock would be > non-zero so we would never strcap "None" Ahem. In Samba we have : lib/util/safe_string.h:#define strcpy(dest,src) __ERROR__XX__NEVER_USE_STRCPY___; Maybe you should do likewise :-). > On Mon, May 6, 2019 at 10:26 AM Christoph Probst wrote: > > > > Change strcat to strcpy in the "None" case as it is never valid to append > > "None" to any other message. It may also overflow char message[5], in a > > race condition on cinode if cinode->oplock is unset by another thread > > after "RHW" or "RH" had been written to message. > > > > Signed-off-by: Christoph Probst > > --- > > fs/cifs/smb2ops.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > > index c36ff0d..5fd5567 100644 > > --- a/fs/cifs/smb2ops.c > > +++ b/fs/cifs/smb2ops.c > > @@ -2936,7 +2936,7 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, > > strcat(message, "W"); > > } > > if (!cinode->oplock) > > - strcat(message, "None"); > > + strcpy(message, "None"); > > cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, > > &cinode->vfs_inode); > > } > > -- > > 2.1.4 > > > > > -- > Thanks, > > Steve >