Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2319286pxb; Mon, 20 Sep 2021 18:42:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnoRbR4vS5eW8kOdYQ4RMxx6pjy2e+A5nQZ8GDYSf+e7vBGK67/GDmqU7+q74liFxrjH7e X-Received: by 2002:a6b:5913:: with SMTP id n19mr11376930iob.91.1632188538159; Mon, 20 Sep 2021 18:42:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188538; cv=none; d=google.com; s=arc-20160816; b=vx77Htn1H2+iN5OboHiec4eOJgpC4Z0tnCK5CFNIOiHysjilMnyOH1yoiDGEyW013g fufV38v3m1NtCL8YtZL8BXu4smS7UhLsPlk/vYnWJxkSdkttVZVoGBF92WJAgTr6cUmp 7YneV/lgAAa0U5eXPcZTRtWdmXm2m+Q3uJ9ddylZ/iRQNt6X1JLFI2fXAmV8eOKlaF4n +pvBRCsrgABpscKd++FXgwn0JInYQdHQr/+2EqWVxKowm1gggeZeIFTD8UOO6fKUxdUL hCiirqjiz5JfttSUvna2EZ1XoYUp74htwW8jAtQM53DXfnw/d+Z+J8i0xBnxoMfjyxwu Vfyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mrN+3K2LLuu1MvWwFj6LoB1YH7CkK1LD0PVwYkTkO1A=; b=MM6aybH+AHOnQQajQ88hftc4scdhrVbo+MB1GT7yw2+08CiejxBgyAFpT2YzlmviAr FQxezvX6tr1fgUB2cpxZO866U3/1qfiUsxmpmumW4EASoV2qN6HYOjCRofRVL/vMVrPn E9m+/GwwmsJ1BRZ5nMB85aAH15QCuNQzkoq06IZcV176FhxMSKzZr9mmCmptzzBAQuZJ hx3PLT0Sz9IIpJjFtBuhEKXH6jcQdBh0O5Rik7tUh6ccFZmQGEX/HMCVtQVqACqN1+pf Ede/NifAQQtPBczQRyU9Gb0z0b/MgfDfzFA8F8WjXHDzTGdAwqE87U812lGbiR7dExBe OHgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YsDNWuvs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a187si13676002jaa.34.2021.09.20.18.42.07; Mon, 20 Sep 2021 18:42:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YsDNWuvs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244081AbhITQws (ORCPT + 99 others); Mon, 20 Sep 2021 12:52:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:38968 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229749AbhITQuB (ORCPT ); Mon, 20 Sep 2021 12:50:01 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9AC3361262; Mon, 20 Sep 2021 16:48:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156513; bh=YFSk/PRbPNJQVhTmldNC5pNCP0IcDx+QfuxJ2U5SAaI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YsDNWuvspuzybNvCBiuw83SPgfUiAs1L2AI9M8NbiDs0xC9r4PdEzGsJuMco2/hNP AoNqCq4Ncy2Rj+PGJlfMAOEToDhbyK9bVKoluW0wnFoxydU/l1fUXJkQWjGj7mx9tN 66wHVyIxn/0sRL9kpZ7QowLts49wIbiHXolRSep0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Len Baker , "Paulo Alcantara (SUSE)" , Jeff Layton , Steve French , Sasha Levin Subject: [PATCH 4.4 062/133] CIFS: Fix a potencially linear read overflow Date: Mon, 20 Sep 2021 18:42:20 +0200 Message-Id: <20210920163914.679574667@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Len Baker [ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated. Also, the strnlen() call does not avoid the read overflow in the strlcpy function when a not NUL-terminated string is passed. So, replace this block by a call to kstrndup() that avoids this type of overflow and does the same. Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") Signed-off-by: Len Baker Reviewed-by: Paulo Alcantara (SUSE) Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/cifs/cifs_unicode.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c index 942874257a09..e5e780145728 100644 --- a/fs/cifs/cifs_unicode.c +++ b/fs/cifs/cifs_unicode.c @@ -367,14 +367,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen, if (!dst) return NULL; cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, - NO_MAP_UNI_RSVD); + NO_MAP_UNI_RSVD); } else { - len = strnlen(src, maxlen); - len++; - dst = kmalloc(len, GFP_KERNEL); - if (!dst) - return NULL; - strlcpy(dst, src, len); + dst = kstrndup(src, maxlen, GFP_KERNEL); } return dst; -- 2.30.2