diff options
| author | Olof Johansson <olof@lixom.net> | 2012-02-10 12:40:34 -0800 |
|---|---|---|
| committer | Olof Johansson <olof@lixom.net> | 2012-02-10 12:40:34 -0800 |
| commit | 082f53c2f573c75a8f1610c587a43b6817e20f90 (patch) | |
| tree | c3ad3a58967e7f7f61ff12ff59284dba1e76d093 /fs/cifs/sess.c | |
| parent | e69128b947da0a2474447868f73c76311e2baedb (diff) | |
| parent | b024e33682c8e56cc8e869245dabd1b91ffe00ea (diff) | |
Merge branch 'for-arm-soc' of git://sources.calxeda.com/kernel/linux into next/soc
* 'for-arm-soc' of git://sources.calxeda.com/kernel/linux: (247 commits)
ARM: highbank: remove unused memory.h
ARM: highbank: enable sp804 based sched_clock
ARM: timer-sp: add sched_clock support
Linux 3.3-rc3
pcmcia: fix socket refcount decrementing on each resume
mm: fix UP THP spin_is_locked BUGs
drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax
mm: compaction: check for overlapping nodes during isolation for migration
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
ASoC: wm8994: Disable line output discharge prior to ramping VMID
ASoC: wm8994: Fix typo in VMID ramp setting
ALSA: oxygen, virtuoso: fix exchanged L/R volumes of aux and CD inputs
ALSA: usb-audio: add Edirol UM-3G support
checkpatch: Warn on code with 6+ tab indentation
ACPI: remove duplicated lines of merging problems with acpi_processor_add
ALSA: hda - add support for Uniwill ECS M31EI notebook
HID: wiimote: fix invalid power_supply_powers call
ALSA: hda - Fix error handling in patch_ca0132.c
target: Fix unsupported WRITE_SAME sense payload
iscsi: use IP_FREEBIND socket option
...
Diffstat (limited to 'fs/cifs/sess.c')
| -rw-r--r-- | fs/cifs/sess.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index d85efad5765..551d0c2b973 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -246,16 +246,15 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, /* copy user */ /* BB what about null user mounts - check that we do this BB */ /* copy user */ - if (ses->user_name != NULL) + if (ses->user_name != NULL) { strncpy(bcc_ptr, ses->user_name, MAX_USERNAME_SIZE); + bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE); + } /* else null user mount */ - - bcc_ptr += strnlen(ses->user_name, MAX_USERNAME_SIZE); *bcc_ptr = 0; bcc_ptr++; /* account for null termination */ /* copy domain */ - if (ses->domainName != NULL) { strncpy(bcc_ptr, ses->domainName, 256); bcc_ptr += strnlen(ses->domainName, 256); @@ -395,6 +394,10 @@ static int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, ses->ntlmssp->server_flags = le32_to_cpu(pblob->NegotiateFlags); tioffset = le32_to_cpu(pblob->TargetInfoArray.BufferOffset); tilen = le16_to_cpu(pblob->TargetInfoArray.Length); + if (tioffset > blob_len || tioffset + tilen > blob_len) { + cERROR(1, "tioffset + tilen too high %u + %u", tioffset, tilen); + return -EINVAL; + } if (tilen) { ses->auth_key.response = kmalloc(tilen, GFP_KERNEL); if (!ses->auth_key.response) { |