summaryrefslogtreecommitdiffstats
path: root/fs/cifs/connect.c
diff options
context:
space:
mode:
authorTaesoo Kim <tsgatesv@gmail.com>2015-03-22 00:08:30 +0100
committerSteve French <smfrench@gmail.com>2015-03-21 18:01:50 +0100
commit2bd50fb3d4d31f5168ecea221f291534cd0a96e9 (patch)
treefbc079983364b9d761b111f52d7a581cf7fc5b48 /fs/cifs/connect.c
parentcifs: fix use-after-free bug in find_writable_file (diff)
downloadlinux-2bd50fb3d4d31f5168ecea221f291534cd0a96e9.tar.xz
linux-2bd50fb3d4d31f5168ecea221f291534cd0a96e9.zip
cifs: potential memory leaks when parsing mnt opts
For example, when mount opt is redundently specified (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val with kstrdup() and overwrite previous ptr (to be freed). Althouhg mount.cifs in userspace performs a bit of sanitization (e.g., forcing one user option), current implementation is not robust. Other options such as iocharset and domainanme are similarly vulnerable. Signed-off-by: Taesoo Kim <tsgatesv@gmail.com> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/cifs/connect.c')
-rw-r--r--fs/cifs/connect.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index d3aa999ab785..4cb8450e081b 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
pr_warn("CIFS: username too long\n");
goto cifs_parse_mount_err;
}
+
+ kfree(vol->username);
vol->username = kstrdup(string, GFP_KERNEL);
if (!vol->username)
goto cifs_parse_mount_err;
@@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
goto cifs_parse_mount_err;
}
+ kfree(vol->domainname);
vol->domainname = kstrdup(string, GFP_KERNEL);
if (!vol->domainname) {
pr_warn("CIFS: no memory for domainname\n");
@@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
}
if (strncasecmp(string, "default", 7) != 0) {
+ kfree(vol->iocharset);
vol->iocharset = kstrdup(string,
GFP_KERNEL);
if (!vol->iocharset) {