summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorPali Rohár <pali@kernel.org>2024-09-27 20:20:39 +0200
committerSteve French <stfrench@microsoft.com>2024-09-29 17:28:40 -0500
commita9023656bcd28aaf184974a121d3c2f2ec1ded46 (patch)
tree86538894f2af27a1f39f67024c8d28f85b841e78 /fs
parent9852d85ec9d492ebef56dc5f229416c925758edc (diff)
downloadlinux-a9023656bcd28aaf184974a121d3c2f2ec1ded46.tar.gz
linux-a9023656bcd28aaf184974a121d3c2f2ec1ded46.tar.bz2
linux-a9023656bcd28aaf184974a121d3c2f2ec1ded46.zip
cifs: Check for UTF-16 null codepoint in SFU symlink target location
Check that read buffer of SFU symlink target location does not contain UTF-16 null codepoint (via UniStrnlen() call) because Linux cannot process symlink with null byte, it truncates everything in buffer after null byte. Fixes: cf2ce67345d6 ("cifs: Add support for reading SFU symlink location") Signed-off-by: Pali Rohár <pali@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/smb/client/inode.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
index 647f9bedd9fc..eff3f57235ee 100644
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -629,10 +629,16 @@ cifs_sfu_type(struct cifs_fattr *fattr, const char *path,
&symlink_len_utf16,
&symlink_buf_utf16,
&buf_type);
+ /*
+ * Check that read buffer has valid length and does not
+ * contain UTF-16 null codepoint (via UniStrnlen() call)
+ * because Linux cannot process symlink with null byte.
+ */
if ((rc == 0) &&
(symlink_len_utf16 > 0) &&
(symlink_len_utf16 < fattr->cf_eof-8 + 1) &&
- (symlink_len_utf16 % 2 == 0)) {
+ (symlink_len_utf16 % 2 == 0) &&
+ (UniStrnlen((wchar_t *)symlink_buf_utf16, symlink_len_utf16/2) == symlink_len_utf16/2)) {
fattr->cf_symlink_target =
cifs_strndup_from_utf16(symlink_buf_utf16,
symlink_len_utf16,