summaryrefslogtreecommitdiffstats
path: root/fs/cifs/cifs_unicode.c
diff options
context:
space:
mode:
authorLen Baker <len.baker@gmx.com>2021-08-17 12:27:09 +0200
committerSteve French <stfrench@microsoft.com>2021-08-25 22:42:15 +0200
commitf980d055a0f858d73d9467bb0b570721bbfcdfb8 (patch)
tree4a7aaeadc83db7840b04621951e548548ec10a2d /fs/cifs/cifs_unicode.c
parentLinux 5.14-rc7 (diff)
downloadlinux-f980d055a0f858d73d9467bb0b570721bbfcdfb8.tar.xz
linux-f980d055a0f858d73d9467bb0b570721bbfcdfb8.zip
CIFS: Fix a potencially linear read overflow
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated. Also, the strnlen() call does not avoid the read overflow in the strlcpy function when a not NUL-terminated string is passed. So, replace this block by a call to kstrndup() that avoids this type of overflow and does the same. Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") Signed-off-by: Len Baker <len.baker@gmx.com> Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/cifs/cifs_unicode.c')
-rw-r--r--fs/cifs/cifs_unicode.c9
1 files changed, 2 insertions, 7 deletions
diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c
index 9bd03a231032..171ad8b42107 100644
--- a/fs/cifs/cifs_unicode.c
+++ b/fs/cifs/cifs_unicode.c
@@ -358,14 +358,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen,
if (!dst)
return NULL;
cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage,
- NO_MAP_UNI_RSVD);
+ NO_MAP_UNI_RSVD);
} else {
- len = strnlen(src, maxlen);
- len++;
- dst = kmalloc(len, GFP_KERNEL);
- if (!dst)
- return NULL;
- strlcpy(dst, src, len);
+ dst = kstrndup(src, maxlen, GFP_KERNEL);
}
return dst;