Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1083331pxb;
        Tue, 17 Aug 2021 03:28:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzQ/qkhEBmrYjg+qsb83ycyn5OcJPpkSa9wp6PunBGvKb4nRcRdNOmG6h9RvJFw7SNUX55i
X-Received: by 2002:a05:6e02:1bed:: with SMTP id y13mr1972416ilv.276.1629196132800;
        Tue, 17 Aug 2021 03:28:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629196132; cv=none;
        d=google.com; s=arc-20160816;
        b=BmJkO59EKqZGh6DDtPfFb3v4ATcbKPDQNV6OMQni1gZkqYjfUPepJ0vrm92gw0DKfq
         IfUK3pchO7KnJbVAuSPtkV/p+tfAxoksz0flYQyKnXZbuig4g0eQgmnY21VL8k7KfBd+
         jgqhFn+9dfo2hjpBD99Te+qFJgI36NgJe7YUoKFtysmI6rIs+yo/uFM4dx5nHPsDKE73
         O4j7Fm7oYz51+lhB6rZvH0slTvrWX6+KhGSs+uumjzMkd8k0r5woccAZgg09OR9Ns+Fc
         7Vnk2LWUMiaeGvDejSSOlvuKqDmmvV4h8n0Yv++ZTWpHDLIaV/3ifoGXu8F3hazm04hn
         kIBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=GeMAF+Qn/IkVrFKzfXGrNq7kCySNisgXw4dgbxTKCgw=;
        b=WxigZ9r0mAXcJgauFj/oIpzNHU1dxjO5P8jCWeRJdGxEPcW+StN3hGsmbNmfDJ/V9m
         gQPVsEfqAQvnl2rkChr8vWAhV+fxhQICdHtgVZddkKwjEpzP94q52uc2A1Momx5c4+h+
         CX5h7G2Yj4+Cc5vsZd4oT9glj0ilMNruBNTsTH6temLKp1kA88YY61oJpqx1nKUl6XdD
         gqhjG5+9sYTgrYp1hu9LG37MVEMZg+Hf6mJflpDLJXmt3HruRN/8RSS78CP0cOXCXbRO
         XUq7IcMpDrQf2TUOqZ4rF1aUk0cNchuREuaWi7go041LrGs+gmLcGYqkYnb9BytgnLdG
         HRMw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=bpb7+uQt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q9si1916171ile.120.2021.08.17.03.28.42;
        Tue, 17 Aug 2021 03:28:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=bpb7+uQt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236215AbhHQK2R (ORCPT <rfc822;liuchenandwork@gmail.com>
        + 99 others); Tue, 17 Aug 2021 06:28:17 -0400
Received: from mout.gmx.net ([212.227.17.22]:50947 "EHLO mout.gmx.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234093AbhHQK2P (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Aug 2021 06:28:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
        s=badeba3b8450; t=1629196057;
        bh=I2J2SW/R8983FRWI3iQ+XXno6bttiS2cd9W3FEmVODw=;
        h=X-UI-Sender-Class:From:To:Cc:Subject:Date;
        b=bpb7+uQteNcPrcP4RhqayGCqYbsPPa7ddU+X99U3lcAvArOlVlsI7pnwpAgnY4bY2
         lXNt/h/2q8WdyDgDj4gnaqqc91X1bca6BOYY/WPskrMD1KSBmTz8mlnrDH2GXmWIEf
         m58+83sW7pxEKbogDm578Rhd2Ua34sQmwzFd853A=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from localhost.localdomain ([79.150.72.99]) by mail.gmx.net
 (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id
 1Mo6qp-1mqPnW2Fpr-00pcK2; Tue, 17 Aug 2021 12:27:37 +0200
From:   Len Baker <len.baker@gmx.com>
To:     Steve French <sfrench@samba.org>, Jeff Layton <jlayton@kernel.org>,
        Suresh Jayaraman <sjayaraman@suse.de>
Cc:     Len Baker <len.baker@gmx.com>, linux-cifs@vger.kernel.org,
        samba-technical@lists.samba.org, linux-kernel@vger.kernel.org,
        Kees Cook <keescook@chromium.org>,
        linux-hardening@vger.kernel.org
Subject: [PATCH] CIFS: Fix a potencially linear read overflow
Date:   Tue, 17 Aug 2021 12:27:09 +0200
Message-Id: <20210817102709.15046-1-len.baker@gmx.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:3ZNYzJz5JHvN/PlriY02eWKfty6IRLAMJHJuFNlhqOGp2xwU0Kv
 sFsQ+QVlO8KjkZPRaqBrlrc9SJ+F4dMPHr1fP2XfTS5kak7Aaf6CHfShaqGwMFa7wRY+bmL
 L3cpvZAwgcOrmHtJBWtbQqimRrDPhCZrTmmeMZ4bFOZLakbE6T1IEYToQYyPhz0tkWVJHCH
 EY3zam0ab3XmAaKIIJYPA==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:CDCgeYTjVHs=:cYULzbo81kmMsPAddqFNl/
 bK3J4Oa0NxrqhGWf0BjCfSn5afm/dZONbQqC0SiCc71TUz2ebB+amK8N5FRPeAeilFK2bctEq
 ywfKpSji1HgxLwJoZoogrp4iGs5b8irdfJ2jsSevGCeiOSA+7TQyyY+c9bB2hP6XvTvB7cuKE
 dsxry5taq0VYSaEc9zoMszYQMAetBWWOSJjc+AMiSurweWF4QdUa4fLQogkoPqRDzNXOA+Ej6
 RX0rTepJXaHZNN/EG82MrCYuoXLmR9KGylxoq1KKzuicu7IjfSHXnDwSlBfWiWUcch8gWOjx7
 ttRfgWe6t5By3xj13AZAo9RgNX3pZ9+DReOvFoEkyI6ljKZSUxSaWpA5j2FWh2U/ebd+dBLxl
 IC2ZkqbnfDaZtiWkPoulpTxTlH3Vg2mYMFqwgUyk5xcjV2y8eMftI9bED1QOqmMa/HSWExEb0
 XsjgsuF1FtC+Y6AOa7OJGrtqrOFfgamYQW/NYJX0OEW1ngJPxzLh/0+EjG7oIIi9OU6R9aMhz
 Eggs1plfGZQ/t8GIl9Lts3ADd8JRGP4vImUsuRJOdDjGwT5jGTy29wmZgH1KG5PAMI5pgaLm+
 ybdmoJKrlnyh0pU2kZuVQIkgLr+11pv0v/O1GWTiiXwTDC/QyP20Ccqq0oR2jgVMSrdi3CCwe
 mi40JeI5yk54pdYzpUlh5nGD2n5zhSDIIsblXvCWGCQuSNTVDLsB8nU4BU33DcV9WvgwS079I
 QR3TagPcNexZ8U2KVTtX1vJ4kvuCPzwsYjgnwZH6+sERBex2WWjA04XoL7mcmeMViBMMh4n4+
 SGadaTV5vIjVPIBiw38p7Sb9h9NNgwo1g0IGmIOCJyULmBfQhccwBPywgnKKJXn0aiY8By0PX
 Ta0lf+jpXVla4nt/gMuPoUywLtPgOMR2780r0m/U4nFOdgZBGdeurS4Qt7covPr6MTl5hGWab
 pUc9IqeG0sD9WuKzI4Aw3N+eQXnx1Gc1pm4VVeK0xRNbq9daVBJQyVc9RScNc7V9EwKUF8kDZ
 j/816yUJl2u/TIYqNtRiEZE2nIP9ZpXz/TvZTpjsQqyXKAGWEihIAitiKFA8DtoYI/m3apJPu
 orcDx0WKVtbBUfUiKWnh/TFVt2x4yl98rkYbqhAzgvTYwLtHYD9ekSmng==
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

strlcpy() reads the entire source buffer first. This read may exceed the
destination size limit. This is both inefficient and can lead to linear
read overflows if a source string is not NUL-terminated.

Also, the strnlen() call does not avoid the read overflow in the strlcpy
function when a not NUL-terminated string is passed.

So, replace this block by a call to kstrndup() that avoids this type of
overflow and does the same.

Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use n=
ew functions")
Signed-off-by: Len Baker <len.baker@gmx.com>
=2D--
 fs/cifs/cifs_unicode.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
index 9bd03a231032..171ad8b42107 100644
=2D-- a/fs/cifs/cifs_unicode.c
+++ b/fs/cifs/cifs_unicode.c
@@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int ma=
xlen,
 		if (!dst)
 			return NULL;
 		cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
-			       NO_MAP_UNI_RSVD);
+				NO_MAP_UNI_RSVD);
 	} else {
-		len =3D strnlen(src, maxlen);
-		len++;
-		dst =3D kmalloc(len, GFP_KERNEL);
-		if (!dst)
-			return NULL;
-		strlcpy(dst, src, len);
+		dst =3D kstrndup(src, maxlen, GFP_KERNEL);
 	}

 	return dst;
=2D-
2.25.1