Bugfixes for 2.6.35

Fix memory over bound bug in cifs_parse_mount_options + stable updates

Bugfixes for 2.6.35
e9edd310 · Pavel Shilovsky · b208ffc6 · e9edd310 · e9edd310 · e9edd310
Commit e9edd310 authored May 12, 2011 by Pavel Shilovsky
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 9 deletions

cifsproto.h sources/2.6.35/cifsproto.h +4 -4

cifssmb.c sources/2.6.35/cifssmb.c +3 -2

connect.c sources/2.6.35/connect.c +4 -3

No files found.
--- a/sources/2.6.35/cifsproto.h
+++ b/sources/2.6.35/cifsproto.h
@@ -343,10 +343,10 @@ extern int cifsConvertToUCS(__le16 *target, const char *source, int maxlen,
 			const struct nls_table *cp, int mapChars);
 extern int CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
-			const __u16 netfid, const __u64 len, const __u64 offset,
+			const __u16 netfid, const __u64 len,
-			const __u32 numUnlock, const __u32 numLock,
+			const __u64 offset, const __u32 numUnlock,
-			const __u8 lockType, const bool waitFlag,
+			const __u32 numLock, const __u8 lockType,
-			const __u8 oplock_level);
+			const bool waitFlag, const __u8 oplock_level);
 extern int CIFSSMBPosixLock(const int xid, struct cifsTconInfo *tcon,
 			const __u16 smb_file_id, const int get_flag,
 			const __u64 len, struct file_lock *,

--- a/sources/2.6.35/cifssmb.c
+++ b/sources/2.6.35/cifssmb.c
@@ -1663,8 +1663,9 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
 int
 CIFSSMBLock(const int xid, struct cifsTconInfo *tcon,
-	    const __u16 smb_file_id, const __u64 len, const __u64 offset,
+	    const __u16 smb_file_id, const __u64 len,
-	    const __u32 numUnlock, const __u32 numLock, const __u8 lockType,
+	    const __u64 offset, const __u32 numUnlock,
+	    const __u32 numLock, const __u8 lockType,
 	    const bool waitFlag, const __u8 oplock_level)
 {
 	int rc = 0;

--- a/sources/2.6.35/connect.c
+++ b/sources/2.6.35/connect.c
@@ -803,8 +803,7 @@ static int
 cifs_parse_mount_options(char *options, const char *devname,
 			 struct smb_vol *vol)
 {
-	char *value;
+	char *value, *data, *end;
-	char *data;
 	unsigned int  temp_len, i, j;
 	char separator[2];
 	short int override_uid = -1;
@@ -847,6 +846,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 	if (!options)
 		return 1;
+	end = options + strlen(options);
 	if (strncmp(options, "sep=", 4) == 0) {
 		if (options[4] != 0) {
 			separator[0] = options[4];
@@ -911,6 +911,7 @@ cifs_parse_mount_options(char *options, const char *devname,
 			the only illegal character in a password is null */
 			if ((value[temp_len] == 0) &&
+			    (value + temp_len < end) &&
 			    (value[temp_len+1] == separator[0])) {
 				/* reinsert comma */
 				value[temp_len] = separator[0];
@@ -2641,7 +2642,7 @@ try_mount_again:
 remote_path_check:
 	/* check if a whole path (including prepath) is not remote */
-	if (!rc && cifs_sb->prepathlen && tcon) {
+	if (!rc && tcon) {
 		/* build_path_to_root works only when we have a valid tcon */
 		full_path = cifs_build_path_to_root(cifs_sb);
 		if (full_path == NULL) {