Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp220945pxb; Mon, 13 Sep 2021 17:31:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzVx8T9M2GmkCICCetNK2trgmTS3bPrNfLH+5TQfQ42Afw4AUC8LEr2nfpuJDVbbMasT0c1 X-Received: by 2002:a05:6402:1808:: with SMTP id g8mr15866394edy.188.1631579480512; Mon, 13 Sep 2021 17:31:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631579480; cv=none; d=google.com; s=arc-20160816; b=sQdGO7iFEolcCvzWVze9wlAytlYY+7dzTbBI3OoUHOmkCw1srX5fSev/D89OHszwDm Ck1TjjRFV7WSoUZey9iFF209o3ZWXJDmrqOcz4rRbrWWrKHPH2TAnP427vtXKEbdy3Rz sp71jJeWv41X7v8mEOObTy/cPOPRJ9//7XUo7IG1VcggVNdf7sbZr3uSk2MJdfocKiOk aYyUgdvX8QAW75aQgcDPJf97vuY2gWA0tx0nDS2Fu8pEbyqP+7wJ4WV2q61SZ3eGTKxt ylLTzlsRrkxDWtHFyv62fk/fQoKUjjh/p6nIMjQhAPJob711nRt/0k+3xSfnFG9Vuw1w ppgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+T9ZpK/2YQP2u+yTyKWu3UlOgTNVupMmENM4vabl7Gs=; b=pEmdCKwXxAV8iWE+7R1KEQPtI9iPh0jhmofgNmisAEOx3WrsVn6VcmRao3L2yZaa4a +Baz/1vPZSeSxI9i0dnVZFSzedMPAF3Y5eFsj9EP4IEy8yLr4oYCL0Cc/0yWHxJUAYVt 6udLJ1YmHBo/Xr18s8TdPn0wsoD1HRGZrWNfwKflysVaC6B+t4yYdrITgWstHEdpvGXP ORZYuX46GOWNCO9AUPxtT711jIQ0zEr4bu0Q00NCl7VrujqQ7YF17IoAR+V7aSAAGBYn fRfkPcE+WZKQHrnk3PV4rizUbNdVpJHY4UPAkibAlQofkIInZNBhP9aSoK8/gRpbVTw8 rFvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JA4oeoUj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b5si8756875edx.499.2021.09.13.17.30.57; Mon, 13 Sep 2021 17:31:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JA4oeoUj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344975AbhIMOPx (ORCPT + 99 others); Mon, 13 Sep 2021 10:15:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:33982 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245096AbhIMOMy (ORCPT ); Mon, 13 Sep 2021 10:12:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7027861356; Mon, 13 Sep 2021 13:42:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540570; bh=/Q+nGGbuRQCEf4nJ+zVUPSAiTbJskpr6+hRJit8n4qc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JA4oeoUjmotapt86OySrARgIfXfT+nGcrLHEEQA6m04EI0zPMHLqaFo704qbl1d1f EoOhcnwSpA6XUnNq7WOLaVWCS28QLbhqAoyRWuo4kHvmg9pw8WHl6EB1zbZOAwWQuR nopVGKl07+1UlvwJJs/7IbD8AAX86dItV8ZIQyq0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Len Baker , "Paulo Alcantara (SUSE)" , Jeff Layton , Steve French , Sasha Levin Subject: [PATCH 5.13 230/300] CIFS: Fix a potencially linear read overflow Date: Mon, 13 Sep 2021 15:14:51 +0200 Message-Id: <20210913131117.117431895@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131109.253835823@linuxfoundation.org> References: <20210913131109.253835823@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Len Baker [ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated. Also, the strnlen() call does not avoid the read overflow in the strlcpy function when a not NUL-terminated string is passed. So, replace this block by a call to kstrndup() that avoids this type of overflow and does the same. Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") Signed-off-by: Len Baker Reviewed-by: Paulo Alcantara (SUSE) Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/cifs/cifs_unicode.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c index 9bd03a231032..171ad8b42107 100644 --- a/fs/cifs/cifs_unicode.c +++ b/fs/cifs/cifs_unicode.c @@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen, if (!dst) return NULL; cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, - NO_MAP_UNI_RSVD); + NO_MAP_UNI_RSVD); } else { - len = strnlen(src, maxlen); - len++; - dst = kmalloc(len, GFP_KERNEL); - if (!dst) - return NULL; - strlcpy(dst, src, len); + dst = kstrndup(src, maxlen, GFP_KERNEL); } return dst; -- 2.30.2