Bugfixes for 2.6.33

Fix memory over bound bug in cifs_parse_mount_options + stable updates

Bugfixes for 2.6.33
2f8b9a12 · Pavel Shilovsky · 39caaf06 · 2f8b9a12
Commit 2f8b9a12 authored May 12, 2011 by Pavel Shilovsky
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

connect.c sources/2.6.33/connect.c +4 -3

No files found.
--- a/sources/2.6.33/connect.c
+++ b/sources/2.6.33/connect.c
@@ -800,8 +800,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
 			 struct smb_vol *vol)
 {
-	char *value;
-	char *data;
+	char *value, *data, *end;
 	unsigned int  temp_len, i, j;
 	char separator[2];
 	short int override_uid = -1;
@@ -844,6 +843,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 	if (!options)
 		return 1;

+	end = options + strlen(options);
 	if (strncmp(options, "sep=", 4) == 0) {
 		if (options[4] != 0) {
 			separator[0] = options[4];
@@ -908,6 +908,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 			the only illegal character in a password is null */

 			if ((value[temp_len] == 0) &&
+			    (value + temp_len < end) &&
 			    (value[temp_len+1] == separator[0])) {
 				/* reinsert comma */
 				value[temp_len] = separator[0];
@@ -2540,7 +2541,7 @@ try_mount_again:

 remote_path_check:
 	/* check if a whole path (including prepath) is not remote */
-	if (!rc && cifs_sb->prepathlen && tcon) {
+	if (!rc && tcon) {
 		/* build_path_to_root works only when we have a valid tcon */
 		full_path = cifs_build_path_to_root(cifs_sb);
 		if (full_path == NULL) {