cifs: fix potential overflow in cifs_compose_mount_options
authorInsu Yun <wuninsu@gmail.com>
Mon, 1 Feb 2016 16:34:58 +0000 (11:34 -0500)
committerSteve French <smfrench@gmail.com>
Thu, 11 Feb 2016 00:04:56 +0000 (18:04 -0600)
In worst case, "ip=" + sb_mountdata + ipv6 can be copied into mountdata.
Therefore, for safe, it is better to add more size when allocating memory.

Signed-off-by: Insu Yun <wuninsu@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
fs/cifs/cifs_dfs_ref.c

index 7dc886c9a78fc428b368a1c911b8c1ad745f48a5..e956cba94338184416c96925690f21493fc61ab6 100644 (file)
@@ -175,7 +175,7 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
         * string to the length of the original string to allow for worst case.
         */
        md_len = strlen(sb_mountdata) + INET6_ADDRSTRLEN;
-       mountdata = kzalloc(md_len + 1, GFP_KERNEL);
+       mountdata = kzalloc(md_len + sizeof("ip=") + 1, GFP_KERNEL);
        if (mountdata == NULL) {
                rc = -ENOMEM;
                goto compose_mount_options_err;