1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 007c07fd91b6d42f8bd45187cf78ebb06801139d Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jbe@improsec.com>
Date: Thu, 17 Mar 2022 12:58:52 -0400
Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option
parsing
Previous check was true whatever the length of the input string was,
leading to a buffer overflow in the subsequent strcpy call.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025
Signed-off-by: Jeffrey Bencteux <jbe@improsec.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Upstream-Status: Backport [ https://git.samba.org/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d]
CVE: CVE-2022-27239
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
mount.cifs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 84274c9..3a6b449 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
if (!value || !*value) {
fprintf(stderr,
"target ip address argument missing\n");
- } else if (strnlen(value, MAX_ADDRESS_LEN) <=
+ } else if (strnlen(value, MAX_ADDRESS_LEN) <
MAX_ADDRESS_LEN) {
- strcpy(parsed_info->addrlist, value);
+ strlcpy(parsed_info->addrlist, value,
+ MAX_ADDRESS_LEN);
if (parsed_info->verboseflag)
fprintf(stderr,
"ip address %s override specified\n",
--
2.34.1
|
