From: Jeff Layton <jlayton@redhat.com> Date: Mon, 15 Feb 2010 16:08:16 -0500 Subject: [fs] cifs: max username len check in setup does not match Message-id: <1266250096-21498-5-git-send-email-jlayton@redhat.com> Patchwork-id: 23272 O-Subject: [RHEL5.5 PATCH 4/4] BZ#562947: cifs: Maximum username length check in session setup does not match Bugzilla: 562947 RH-Acked-by: Steve Dickson <SteveD@redhat.com> From: Steve French <sfrench@us.ibm.com> (backported from 301a6a317797ca362951ea21da397c05236f0070) Fix length check reported by D. Binderman (see below) d binderman <dcb314@hotmail.com> wrote: > > I just ran the sourceforge tool cppcheck over the source code of the > new Linux kernel 2.6.33-rc6 > > It said > > [./cifs/sess.c:250]: (error) Buffer access out-of-bounds May turn out to be harmless, but best to be safe. Note max username length is defined to 32 due to Linux (Windows maximum is 20). Signed-off-by: Steve French <sfrench@us.ibm.com> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 0921d6a..abc7fd5 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -229,9 +229,9 @@ static void unicode_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, /* null user mount */ *bcc_ptr = 0; *(bcc_ptr+1) = 0; - } else { /* 300 should be long enough for any conceivable user name */ + } else { bytes_ret = cifs_strtoUCS((__le16 *) bcc_ptr, ses->userName, - 300, nls_cp); + MAX_USERNAME_SIZE, nls_cp); } bcc_ptr += 2 * bytes_ret; bcc_ptr += 2; /* account for null termination */ @@ -251,11 +251,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifsSesInfo *ses, /* copy user */ if (ses->userName == NULL) { /* BB what about null user mounts - check that we do this BB */ - } else { /* 300 should be long enough for any conceivable user name */ - strncpy(bcc_ptr, ses->userName, 300); + } else { + strncpy(bcc_ptr, ses->userName, MAX_USERNAME_SIZE); } - /* BB improve check for overflow */ - bcc_ptr += strnlen(ses->userName, 300); + bcc_ptr += strnlen(ses->userName, MAX_USERNAME_SIZE); *bcc_ptr = 0; bcc_ptr++; /* account for null termination */