Patch "cifs: fix potential buffer overrun when composing a new options string" has been added to the 3.0-stable tree

Fri, 31 May 2013 16:45:34 -0700 

This is a note to let you know that I've just added the patch titled

    cifs: fix potential buffer overrun when composing a new options string

to the 3.0-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
and it can be found in the queue-3.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 166faf21bd14bc5c5295a44874bf7f3930c30b20 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlay...@redhat.com>
Date: Fri, 24 May 2013 07:40:04 -0400
Subject: cifs: fix potential buffer overrun when composing a new options string

From: Jeff Layton <jlay...@redhat.com>

commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream.

Consider the case where we have a very short ip= string in the original
mount options, and when we chase a referral we end up with a very long
IPv6 address. Be sure to allow for that possibility when estimating the
size of the string to allocate.

Signed-off-by: Jeff Layton <jlay...@redhat.com>
Signed-off-by: Steve French <sfre...@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 fs/cifs/cifs_dfs_ref.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -18,6 +18,7 @@
 #include <linux/slab.h>
 #include <linux/vfs.h>
 #include <linux/fs.h>
+#include <linux/inet.h>
 #include "cifsglob.h"
 #include "cifsproto.h"
 #include "cifsfs.h"
@@ -149,7 +150,8 @@ char *cifs_compose_mount_options(const c
         * assuming that we have 'unc=' and 'ip=' in
         * the original sb_mountdata
         */
-       md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
+       md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
+                       INET6_ADDRSTRLEN;
        mountdata = kzalloc(md_len+1, GFP_KERNEL);
        if (mountdata == NULL) {
                rc = -ENOMEM;


Patches currently in stable-queue which might be from jlay...@redhat.com are

queue-3.0/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch
queue-3.0/cifs-only-set-ops-for-inodes-in-i_new-state.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to