diff options
| author | Pali Rohár <pali@kernel.org> | 2024-09-27 20:20:39 +0200 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2024-09-29 17:28:40 -0500 |
| commit | a9023656bcd28aaf184974a121d3c2f2ec1ded46 (patch) | |
| tree | 86538894f2af27a1f39f67024c8d28f85b841e78 /fs/smb | |
| parent | 9852d85ec9d492ebef56dc5f229416c925758edc (diff) | |
cifs: Check for UTF-16 null codepoint in SFU symlink target location
Check that read buffer of SFU symlink target location does not contain
UTF-16 null codepoint (via UniStrnlen() call) because Linux cannot process
symlink with null byte, it truncates everything in buffer after null byte.
Fixes: cf2ce67345d6 ("cifs: Add support for reading SFU symlink location")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/smb')
| -rw-r--r-- | fs/smb/client/inode.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c index 647f9bedd9fc..eff3f57235ee 100644 --- a/fs/smb/client/inode.c +++ b/fs/smb/client/inode.c @@ -629,10 +629,16 @@ cifs_sfu_type(struct cifs_fattr *fattr, const char *path, &symlink_len_utf16, &symlink_buf_utf16, &buf_type); + /* + * Check that read buffer has valid length and does not + * contain UTF-16 null codepoint (via UniStrnlen() call) + * because Linux cannot process symlink with null byte. + */ if ((rc == 0) && (symlink_len_utf16 > 0) && (symlink_len_utf16 < fattr->cf_eof-8 + 1) && - (symlink_len_utf16 % 2 == 0)) { + (symlink_len_utf16 % 2 == 0) && + (UniStrnlen((wchar_t *)symlink_buf_utf16, symlink_len_utf16/2) == symlink_len_utf16/2)) { fattr->cf_symlink_target = cifs_strndup_from_utf16(symlink_buf_utf16, symlink_len_utf16, |