[patch 22/45] CIFS: Fix memory overwrite when saving nativeFileSystem field during mount

[Chris Wright]

-stable review patch.  If anyone has any objections, please let us know.
---------------------

From: Steve French <sfrench@xxxxxxxxxx>

upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b

CIFS can allocate a few bytes to little for the nativeFileSystem field
during tree connect response processing during mount.  This can result
in a "Redzone overwritten" message to be logged.

Signed-off-by: Sridhar Vinay <vinaysridhar@xxxxxxxxxx>
Acked-by: Shirish Pargaonkar <shirishp@xxxxxxxxxx>
CC: Stable <stable@xxxxxxxxxx>
Signed-off-by: Steve French <sfrench@xxxxxxxxxx>
[chrisw: minor backport to CHANGES file]
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
---
 fs/cifs/CHANGES   |    3 +++
 fs/cifs/connect.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/fs/cifs/CHANGES
+++ b/fs/cifs/CHANGES
@@ -7,6 +7,9 @@ are authenticated as guest, as reconnect
 user's smb session.  This fix allows cifs to mount multiple times to the
 same server with different userids without risking invalidating earlier
 established security contexts.
+Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too
+little memory for the "nativeFileSystem" field returned by the server
+during mount). 
 
 Version 1.56
 ------------
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, struct cifsSe
 			    BCC(smb_buffer_response)) {
 				kfree(tcon->nativeFileSystem);
 				tcon->nativeFileSystem =
-				    kzalloc(length + 2, GFP_KERNEL);
+				    kzalloc(2*(length + 1), GFP_KERNEL);
 				if (tcon->nativeFileSystem)
 					cifs_strfromUCS_le(
 						tcon->nativeFileSystem,

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/