diff options
| author |   Jeff Layton <jlayton@redhat.com> | 2012-12-03 06:05:31 -0500 |
|---|---|---|
| committer |   Steve French <smfrench@gmail.com> | 2012-12-08 22:04:37 -0600 |
| commit | 1f6306806c1494bea51b93f96e105e93a96e3c22 (patch) | |
| tree | 8cbd03168fa91915bcf144e8b56dccf53b78acc2 /fs | |
| parent | cifs: fix hardcoded default security descriptor length (diff) | |
| download | linux-dev-1f6306806c1494bea51b93f96e105e93a96e3c22.tar.xz linux-dev-1f6306806c1494bea51b93f96e105e93a96e3c22.zip | |
cifs: deal with id_to_sid embedded sid reply corner case
A SID could potentially be embedded inside of payload.value if there are
no subauthorities, and the arch has 8 byte pointers. Allow for that
possibility there.
While we're at it, rephrase the "embedding" check in terms of
key->payload to allow for the possibility that the union might change
size in the future.
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/cifs/cifsacl.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c index 08b4d5022686..8dd9212ffef5 100644 --- a/fs/cifs/cifsacl.c +++ b/fs/cifs/cifsacl.c @@ -57,7 +57,7 @@ cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep) * With this however, you must check the datalen before trying to * dereference payload.data! */ - if (prep->datalen <= sizeof(void *)) { + if (prep->datalen <= sizeof(key->payload)) { key->payload.value = 0; memcpy(&key->payload.value, prep->data, prep->datalen); key->datalen = prep->datalen; @@ -76,7 +76,7 @@ cifs_idmap_key_instantiate(struct key *key, struct key_preparsed_payload *prep) static inline void cifs_idmap_key_destroy(struct key *key) { - if (key->datalen > sizeof(void *)) + if (key->datalen > sizeof(key->payload)) kfree(key->payload.data); } @@ -216,7 +216,15 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) goto invalidate_key; } - ksid = (struct cifs_sid *)sidkey->payload.data; + /* + * A sid is usually too large to be embedded in payload.value, but if + * there are no subauthorities and the host has 8-byte pointers, then + * it could be. + */ + ksid = sidkey->datalen <= sizeof(sidkey->payload) ? + (struct cifs_sid *)&sidkey->payload.value : + (struct cifs_sid *)sidkey->payload.data; + ksid_size = CIFS_SID_BASE_SIZE + (ksid->num_subauth * sizeof(__le32)); if (ksid_size > sidkey->datalen) { rc = -EIO; @@ -224,6 +232,7 @@ id_to_sid(unsigned int cid, uint sidtype, struct cifs_sid *ssid) "ksid_size=%u)", __func__, sidkey->datalen, ksid_size); goto invalidate_key; } + cifs_copy_sid(ssid, ksid); out_key_put: key_put(sidkey); |