cifs: potential memory leaks when parsing mnt opts
For example, when mount opt is redundently specified (e.g., "user=A,user=B,user=C"), kernel kept allocating new key/val with kstrdup() and overwrite previous ptr (to be freed). Althouhg mount.cifs in userspace performs a bit of sanitization (e.g., forcing one user option), current implementation is not robust. Other options such as iocharset and domainanme are similarly vulnerable. Signed-off-by: Taesoo Kim <tsgatesv@gmail.com> Signed-off-by: Steve French <smfrench@gmail.com>
This commit is contained in:
parent
e1e9bda22d
commit
2bd50fb3d4
|
@ -1599,6 +1599,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
|
|||
pr_warn("CIFS: username too long\n");
|
||||
goto cifs_parse_mount_err;
|
||||
}
|
||||
|
||||
kfree(vol->username);
|
||||
vol->username = kstrdup(string, GFP_KERNEL);
|
||||
if (!vol->username)
|
||||
goto cifs_parse_mount_err;
|
||||
|
@ -1700,6 +1702,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
|
|||
goto cifs_parse_mount_err;
|
||||
}
|
||||
|
||||
kfree(vol->domainname);
|
||||
vol->domainname = kstrdup(string, GFP_KERNEL);
|
||||
if (!vol->domainname) {
|
||||
pr_warn("CIFS: no memory for domainname\n");
|
||||
|
@ -1731,6 +1734,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
|
|||
}
|
||||
|
||||
if (strncasecmp(string, "default", 7) != 0) {
|
||||
kfree(vol->iocharset);
|
||||
vol->iocharset = kstrdup(string,
|
||||
GFP_KERNEL);
|
||||
if (!vol->iocharset) {
|
||||
|
|
Loading…
Reference in New Issue