linux/fs
Jeff Layton 27b87fe52b cifs: fix unicode string area word alignment in session setup
The handling of unicode string area alignment is wrong.
decode_unicode_ssetup improperly assumes that it will always be preceded
by a pad byte. This isn't the case if the string area is already
word-aligned.

This problem, combined with the bad buffer sizing for the serverDomain
string can cause memory corruption. The bad alignment can make it so
that the alignment of the characters is off. This can make them
translate to characters that are greater than 2 bytes each. If this
happens we can overflow the allocation.

Fix this by fixing the alignment in CIFS_SessSetup instead so we can
verify it against the head of the response. Also, clean up the
workaround for improperly terminated strings by checking for a
odd-length unicode buffers and then forcibly terminating them.

Finally, resize the buffer for serverDomain. Now that we've fixed
the alignment, it's probably fine, but a malicious server could
overflow it.

A better solution for handling these strings is still needed, but
this should be a suitable bandaid.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
2009-04-17 01:26:50 +00:00
..
9p vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
adfs fs/adfs: return f_fsid for statfs(2) 2009-04-02 19:05:08 -07:00
affs fs/affs: return f_fsid for statfs(2) 2009-04-02 19:05:08 -07:00
afs afs: BUG to BUG_ON changes 2009-04-09 10:41:19 -07:00
autofs constify dentry_operations: autofs, autofs4 2009-03-27 14:44:00 -04:00
autofs4 autofs4: fix lookup deadlock 2009-04-01 08:59:23 -07:00
befs befs: fix build on parisc 2009-04-08 10:21:43 -07:00
bfs fs/Kconfig: move bfs out 2009-01-22 13:15:57 +03:00
btrfs Merge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable 2009-04-03 15:14:44 -07:00
cachefiles CacheFiles: A cache that backs onto a mounted filesystem 2009-04-03 16:42:41 +01:00
cifs cifs: fix unicode string area word alignment in session setup 2009-04-17 01:26:50 +00:00
coda constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
configfs constify dentry_operations: configfs 2009-03-27 14:44:03 -04:00
cramfs fs/cramfs: return f_fsid for statfs(2) 2009-04-02 19:05:08 -07:00
debugfs debugfs: function to know if debugfs is initialized 2009-03-23 16:25:46 +01:00
devpts Merge code for single and multiple-instance mounts 2009-03-27 14:44:04 -04:00
dlm dlm: fix length calculation in compat code 2009-03-11 12:23:59 -05:00
ecryptfs ecryptfs: use kzfree() 2009-04-01 08:59:23 -07:00
efs fs/efs: return f_fsid for statfs(2) 2009-04-02 19:05:09 -07:00
exofs exofs: Documentation 2009-03-31 19:44:38 +03:00
exportfs Merge branch 'next' into for-linus 2008-12-25 11:40:09 +11:00
ext2 ext2: fix data corruption for racing writes 2009-04-13 15:04:33 -07:00
ext3 ext3: Try to avoid starting a transaction in writepage for data=writepage 2009-04-08 13:15:10 -04:00
ext4 ext4: Remove code handling bio_alloc failure with __GFP_WAIT 2009-04-15 12:10:13 +02:00
fat Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-04-02 21:09:10 -07:00
freevxfs fs/Kconfig: move vxfs out 2009-01-22 13:15:58 +03:00
fscache FS-Cache: Implement data I/O part of netfs API 2009-04-03 16:42:39 +01:00
fuse fuse: fix "direct_io" private mmap 2009-04-09 17:37:53 +02:00
gfs2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/steve/gfs2-2.6-fixes 2009-04-15 09:04:12 -07:00
hfs hfs: fix memory leak when unmounting 2009-04-13 15:04:29 -07:00
hfsplus Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-04-02 21:09:10 -07:00
hostfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hpfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-04-02 21:09:10 -07:00
hppfs hppfs: hppfs_read_file() may return -ERROR 2009-04-02 19:04:53 -07:00
hugetlbfs mm: reintroduce and deprecate rlimit based access for SHM_HUGETLB 2009-04-01 08:59:12 -07:00
isofs fs/isofs: return f_fsid for statfs(2) 2009-04-02 19:05:09 -07:00
jbd jbd: update locking coments 2009-04-13 15:04:32 -07:00
jbd2 jbd2: use WRITE_SYNC_PLUG instead of WRITE_SYNC 2009-04-06 08:04:54 -07:00
jffs2 Merge git://git.infradead.org/mtd-2.6 2009-04-06 14:56:26 -07:00
jfs New helper - current_umask() 2009-03-31 23:00:26 -04:00
lockd Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-04-06 13:25:56 -07:00
minix fs/minix: return f_fsid for statfs(2) 2009-04-02 19:05:09 -07:00
ncpfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
nfs NFS: Fix the return value in nfs_page_mkwrite() 2009-04-07 14:07:03 -07:00
nfs_common SUNRPC: nfsacl_encode/nfsacl_decode should be exported as GPL-only 2008-12-23 15:21:32 -05:00
nfsd Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-04-06 13:25:56 -07:00
nilfs2 nilfs2: fix possible mismatch of sufile counters on recovery 2009-04-13 09:53:52 +09:00
nls
notify fs: avoid I_NEW inodes 2009-03-27 14:44:05 -04:00
ntfs ntfs: remove private wrapper of endian helpers 2009-04-01 08:59:18 -07:00
ocfs2 ocfs2: fix i_mutex locking in ocfs2_splice_to_file() 2009-04-15 12:10:12 +02:00
omfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-04-02 21:09:10 -07:00
openpromfs zero i_uid/i_gid on inode allocation 2009-01-05 11:54:28 -05:00
partitions Merge branch 'tracing/core-v2' into tracing-for-linus 2009-04-02 00:49:02 +02:00
proc nommu: fix typo vma->pg_off to vma->vm_pgoff 2009-04-08 10:21:44 -07:00
qnx4 fs/qnx4: return f_fsid for statfs(2) 2009-04-02 19:05:10 -07:00
quota vfs: skip I_CLEAR state inodes 2009-04-02 19:04:48 -07:00
ramfs ramfs: fix double freeing s_fs_info on failed mount 2009-04-07 07:39:59 -07:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-04-02 21:09:10 -07:00
romfs fs/romfs: return f_fsid for statfs(2) 2009-04-07 08:31:10 -07:00
smbfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
squashfs Merge branch 'kmemtrace-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-04-06 13:30:00 -07:00
sysfs mm: page_mkwrite change prototype to match fault: fix sysfs 2009-04-01 08:59:14 -07:00
sysv fs/sysv: return f_fsid for statfs(2) 2009-04-02 19:05:10 -07:00
ubifs Merge branch 'linux-next' of git://git.infradead.org/ubifs-2.6 2009-04-06 15:00:19 -07:00
udf udf: Don't write integrity descriptor too often 2009-04-02 13:36:28 +02:00
ufs fs/ufs: return f_fsid for statfs(2) 2009-04-02 19:05:10 -07:00
xfs Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs 2009-04-13 14:35:13 -07:00
aio.c aio: lookup_ioctx can return the wrong value when looking up a bogus context 2009-03-19 15:57:18 -07:00
anon_inodes.c constify dentry_operations: rest 2009-03-27 14:44:03 -04:00
attr.c vfs: Use lowercase names of quota functions 2009-03-26 02:18:35 +01:00
bad_inode.c kill ->dir_notify() 2008-12-31 18:07:43 -05:00
binfmt_aout.c sanitize ifdefs in binfmt_aout 2009-01-03 11:45:54 -08:00
binfmt_elf_fdpic.c bin_elf_fdpic: check the return value of clear_user 2009-04-02 19:05:01 -07:00
binfmt_elf.c Trim includes in binfmt_elf 2009-03-31 23:00:27 -04:00
binfmt_em86.c
binfmt_flat.c FLAT: Don't attempt to expand the userspace stack to fill the space allocated 2009-01-08 12:04:47 +00:00
binfmt_misc.c fs/binfmt_misc.c: add terminating newline to /proc/sys/fs/binfmt_misc/status 2009-01-06 15:59:19 -08:00
binfmt_script.c
binfmt_som.c Don't crap into descriptor table in binfmt_som 2009-03-31 23:00:28 -04:00
bio-integrity.c block: add private bio_set for bio integrity allocations 2009-03-24 12:35:17 +01:00
bio.c bio: add documentation to bio_alloc() 2009-04-15 12:10:12 +02:00
block_dev.c Cleanup after commit 585d3bc06f 2009-04-01 07:07:16 -04:00
buffer.c Add block_write_full_page_endio for passing endio handler 2009-04-16 07:47:49 -07:00
char_dev.c fs: fix name overwrite in __register_chrdev_region() 2009-01-06 15:59:13 -08:00
compat_binfmt_elf.c
compat_ioctl.c Merge branch 'for-linus' of git://neil.brown.name/md 2009-04-03 09:08:19 -07:00
compat.c Make non-compat preadv/pwritev use native register size 2009-04-04 14:20:34 -07:00
dcache.c Trim includes of fdtable.h 2009-03-31 23:00:28 -04:00
dcookies.c [CVE-2009-0029] System call wrapper special cases 2009-01-14 14:15:18 +01:00
direct-io.c dio: Remove code handling bio_alloc failure with __GFP_WAIT 2009-04-15 12:10:13 +02:00
drop_caches.c vfs: skip I_CLEAR state inodes 2009-04-02 19:04:48 -07:00
eventfd.c epoll keyed wakeups: make eventfd use keyed wakeups 2009-04-01 08:59:20 -07:00
eventpoll.c epoll keyed wakeups: teach epoll about hints coming with the wakeup key 2009-04-01 08:59:20 -07:00
exec.c Get rid of indirect include of fs_struct.h 2009-03-31 23:00:27 -04:00
fcntl.c Fix a lockdep warning in fasync_helper() 2009-03-30 08:00:24 -06:00
fifo.c
file_table.c trivial: remove unused variable 'path' in alloc_file() 2009-03-30 15:22:03 +02:00
file.c
filesystems.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
fs_struct.c Get rid of indirect include of fs_struct.h 2009-03-31 23:00:27 -04:00
fs-writeback.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-04-03 15:24:35 -07:00
generic_acl.c New helper - current_umask() 2009-03-31 23:00:26 -04:00
inode.c splice: add helpers for locking pipe inode 2009-04-15 12:10:12 +02:00
internal.h New locking/refcounting for fs_struct 2009-03-31 23:00:26 -04:00
ioctl.c Rationalize fasync return values 2009-03-16 08:34:35 -06:00
ioprio.c [CVE-2009-0029] System call wrappers part 28 2009-01-14 14:15:30 +01:00
Kconfig nilfs2: update makefile and Kconfig 2009-04-07 08:31:16 -07:00
Kconfig.binfmt CORE_DUMP_DEFAULT_ELF_HEADERS depends on ELF_CORE 2009-01-09 16:54:41 -08:00
libfs.c kmemtrace, fs: uninline simple_transaction_set() 2009-04-03 12:09:09 +02:00
locks.c [CVE-2009-0029] System call wrappers part 16 2009-01-14 14:15:25 +01:00
Makefile nilfs2: update makefile and Kconfig 2009-04-07 08:31:16 -07:00
mbcache.c
mpage.c Remove two unneeded exports and make two symbols static in fs/mpage.c 2009-04-01 07:38:54 -04:00
namei.c Get rid of indirect include of fs_struct.h 2009-03-31 23:00:27 -04:00
namespace.c Get rid of indirect include of fs_struct.h 2009-03-31 23:00:27 -04:00
nfsctl.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
no-block.c
open.c Get rid of indirect include of fs_struct.h 2009-03-31 23:00:27 -04:00
pipe.c splice: add helpers for locking pipe inode 2009-04-15 12:10:12 +02:00
pnode.c
pnode.h
posix_acl.c CRED: Wrap task credential accesses in the filesystem subsystem 2008-11-14 10:39:05 +11:00
read_write.c Make non-compat preadv/pwritev use native register size 2009-04-04 14:20:34 -07:00
read_write.h
readdir.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
select.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
seq_file.c cpumask: fix seq_bitmap_*() functions. 2009-03-30 22:05:11 +10:30
signalfd.c [CVE-2009-0029] System call wrappers part 31 2009-01-14 14:15:31 +01:00
splice.c splice: add helpers for locking pipe inode 2009-04-15 12:10:12 +02:00
stack.c
stat.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
super.c namespaces: move proc_net_get_sb to a generic fs/super.c helper 2009-04-07 08:31:09 -07:00
sync.c Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
timerfd.c timerfd: add flags check 2009-02-18 15:37:53 -08:00
utimes.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
xattr_acl.c
xattr.c [CVE-2009-0029] System call wrappers part 13 2009-01-14 14:15:23 +01:00