summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorTaesoo Kim <tsgatesv@gmail.com>2015-03-21 19:08:30 -0400
committerSteve French <smfrench@gmail.com>2015-03-21 12:01:50 -0500
commit2bd50fb3d4d31f5168ecea221f291534cd0a96e9 (patch)
treefbc079983364b9d761b111f52d7a581cf7fc5b48 /fs
parente1e9bda22d7ddf88515e8fe401887e313922823e (diff)
downloadlinux-2bd50fb3d4d31f5168ecea221f291534cd0a96e9.tar.gz
linux-2bd50fb3d4d31f5168ecea221f291534cd0a96e9.tar.bz2
linux-2bd50fb3d4d31f5168ecea221f291534cd0a96e9.zip
cifs: potential memory leaks when parsing mnt opts
For example, when mount opt is redundently specified (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val with kstrdup() and overwrite previous ptr (to be freed). Althouhg mount.cifs in userspace performs a bit of sanitization (e.g., forcing one user option), current implementation is not robust. Other options such as iocharset and domainanme are similarly vulnerable. Signed-off-by: Taesoo Kim <tsgatesv@gmail.com> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/cifs/connect.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index d3aa999ab785..4cb8450e081b 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
pr_warn("CIFS: username too long\n");
goto cifs_parse_mount_err;
}
+
+ kfree(vol->username);
vol->username = kstrdup(string, GFP_KERNEL);
if (!vol->username)
goto cifs_parse_mount_err;
@@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
goto cifs_parse_mount_err;
}
+ kfree(vol->domainname);
vol->domainname = kstrdup(string, GFP_KERNEL);
if (!vol->domainname) {
pr_warn("CIFS: no memory for domainname\n");
@@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
}
if (strncasecmp(string, "default", 7) != 0) {
+ kfree(vol->iocharset);
vol->iocharset = kstrdup(string,
GFP_KERNEL);
if (!vol->iocharset) {