35 строки
1.2 KiB
Diff
35 строки
1.2 KiB
Diff
From 955fb147e97a6a74e1aaa65766de91e2c1479765 Mon Sep 17 00:00:00 2001
|
|
From: Jeffrey Bencteux <jbe@improsec.com>
|
|
Date: Thu, 17 Mar 2022 12:58:52 -0400
|
|
Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
|
|
parsing
|
|
|
|
Previous check was true whatever the length of the input string was,
|
|
leading to a buffer overflow in the subsequent strcpy call.
|
|
|
|
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
|
|
|
|
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
|
|
Reviewed-by: David Disseldorp <ddiss@suse.de>
|
|
---
|
|
mount.cifs.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/mount.cifs.c b/mount.cifs.c
|
|
index 84274c9..3a6b449 100644
|
|
--- a/mount.cifs.c
|
|
+++ b/mount.cifs.c
|
|
@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
|
|
if (!value || !*value) {
|
|
fprintf(stderr,
|
|
"target ip address argument missing\n");
|
|
- } else if (strnlen(value, MAX_ADDRESS_LEN) <=
|
|
+ } else if (strnlen(value, MAX_ADDRESS_LEN) <
|
|
MAX_ADDRESS_LEN) {
|
|
- strcpy(parsed_info->addrlist, value);
|
|
+ strlcpy(parsed_info->addrlist, value,
|
|
+ MAX_ADDRESS_LEN);
|
|
if (parsed_info->verboseflag)
|
|
fprintf(stderr,
|
|
"ip address %s override specified\n",
|