Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3867564yba; Tue, 7 May 2019 08:18:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqylPOLsNqQQpT9wPk+1RnXABHfwMtq7sVVhlaHX3HB2JCpb7ucxxW5NFcc/Ji9BCtzTIcqU X-Received: by 2002:a17:902:a3:: with SMTP id a32mr40418185pla.111.1557242285823; Tue, 07 May 2019 08:18:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557242285; cv=none; d=google.com; s=arc-20160816; b=reNnfbvAIV4uaQM26QjviQRmFyugo9tP6cC+bNNtU4Z98DgeOZMQa7ATXwu8RsG4vn latGHJAQXKvxawZ5+fJ4qWSw5+fhoBVWziqi/zTzH9lDHGnRuBUu43D4meIWHDLRL4O6 mdCH93yZTg13H1AwntHV1QWaSIaT2i39q5nyMxvsf3/L9UCeKWaap99WyPeqU0SmJ6XW jgLCQQPVIYmJTF2asUAMU58xBj9+/VWY8Z1IYNzkU3hnnyP7VH63eIY/HJJAIp4oowiv eDFXPUOi1VadsCHwsdB5IFS5MRwfDA0uM0xPYzpLp9oLth3pO5jBWgeFTVvTCN8hIriu BOpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=d2/4ZzVEXoWgWdH8NA8DiQ9Kqp5OVBny47mh3SSRuKk=; b=MMy1EGH5xMDWvcB1J6u57rP0Q47+D+kOfCrWN8z52/3pmC4F8itlnBJp4cMujHmpwM jsrqlDYcIw+kUuaVxUiJlr24dJZ4CXIyUXy2magDcV1J/L74YNoAzcvmo9nkGIkRR9B6 nILVNIQJDYVUrvoQJk8Zi0hMb2JPiJRAPdRZjoHdBAq+peB+8yM+wgCob5DHqfy5+Ix7 B2ZbUcHRKEvjLPRaGvlAETlTbWmUgZoe3HkQHhrCX32mlgGyf7dx8275pt6eSTJCJ7lk ZiSYX4eD2GI4fMjkI8qo9sQ0b1i1xddQGLJJjD4diUgC9krvx/uTX41no7f4KD5pt1wj 6GmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=probst.it Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si20356979plk.399.2019.05.07.08.17.49; Tue, 07 May 2019 08:18:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=probst.it Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727029AbfEGPQw (ORCPT + 99 others); Tue, 7 May 2019 11:16:52 -0400 Received: from mx1.chost.de ([5.175.28.52]:53029 "EHLO mx1.chost.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726348AbfEGPQv (ORCPT ); Tue, 7 May 2019 11:16:51 -0400 Received: from vm002.chost.de ([::ffff:192.168.122.102]) by mx1.chost.de with SMTP; Tue, 07 May 2019 17:17:39 +0200 id 000000000133ACDA.000000005CD1A193.00003808 Received: by vm002.chost.de (sSMTP sendmail emulation); Tue, 07 May 2019 17:17:38 +0200 From: Christoph Probst To: linux-cifs@vger.kernel.org Cc: Steve French , samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, Christoph Probst Subject: [PATCH v2] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Date: Tue, 7 May 2019 17:16:40 +0200 Message-Id: <1557242200-26194-1-git-send-email-kernel@probst.it> X-Mailer: git-send-email 2.1.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Change strcat to strncpy in the "None" case to fix a buffer overflow when cinode->oplock is reset to 0 by another thread accessing the same cinode. It is never valid to append "None" to any other message. Consolidate multiple writes to cinode->oplock to reduce raciness. Signed-off-by: Christoph Probst --- fs/cifs/smb2ops.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index c36ff0d..aa61dcf 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2917,26 +2917,28 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, unsigned int epoch, bool *purge_cache) { char message[5] = {0}; + unsigned int new_oplock = 0; oplock &= 0xFF; if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) return; - cinode->oplock = 0; if (oplock & SMB2_LEASE_READ_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_READ_FLG; + new_oplock |= CIFS_CACHE_READ_FLG; strcat(message, "R"); } if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_HANDLE_FLG; + new_oplock |= CIFS_CACHE_HANDLE_FLG; strcat(message, "H"); } if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { - cinode->oplock |= CIFS_CACHE_WRITE_FLG; + new_oplock |= CIFS_CACHE_WRITE_FLG; strcat(message, "W"); } - if (!cinode->oplock) - strcat(message, "None"); + if (!new_oplock) + strncpy(message, "None", sizeof(message)); + + cinode->oplock = new_oplock; cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, &cinode->vfs_inode); } -- 2.1.4