raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00
Code Issues Projects Releases Wiki Activity

cifs_dbg() outputs an uninitialized buffer in cifs_readdir()

Browse Source 
[ Upstream commit 01b9b0b286 ]

In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized,
therefore its printk with "%s" modifier can leak content of kernelspace memory.
If old content of this buffer does not contain '\0' access bejond end of
allocated object can crash the host.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
This commit is contained in:
Vasily Averin
2016-01-14 13:41:14 +03:00
committed by Sasha Levin
parent 99b79b15df
commit c5882812d2
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
fs/cifs/readdir.c
View File

@@ -847,6 +847,7 @@ int cifs_readdir(struct file *file, struct dir_context *ctx)
* if buggy server returns . and .. late do we want to * if buggy server returns . and .. late do we want to
* check for that here? * check for that here?
*/ */
*tmp_buf = 0;
rc = cifs_filldir(current_entry, file, ctx, rc = cifs_filldir(current_entry, file, ctx,
tmp_buf, max_len); tmp_buf, max_len);
if (rc) { if (rc) {