Commit dd26bc06 authored by Pali Rohár's avatar Pali Rohár Committed by Steve French
Browse files

cifs: Validate content of native symlink 



Check that path buffer has correct length (it is non-zero and in UNICODE
mode it has even number of bytes) and check that buffer does not contain
null character (UTF-16 null codepoint in UNICODE mode or null byte in
non-unicode mode) because Linux cannot process symlink with null byte.

Signed-off-by: default avatarPali Rohár <pali@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 723f4ef9

fs/smb/client/reparse.c

+19 −0
Original line number Diff line number Diff line
@@ -547,6 +547,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len, 
	int rc;

	int i;



	/* Check that length it valid for unicode/non-unicode mode */

	if (!len || (unicode && (len % 2))) {

		cifs_dbg(VFS, "srv returned malformed symlink buffer\n");

		rc = -EIO;

		goto out;

	}



	/*

	 * Check that buffer does not contain UTF-16 null codepoint in unicode

	 * mode or null byte in non-unicode mode because Linux cannot process

	 * symlink with null byte.

	 */

	if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||

	    (!unicode && strnlen(buf, len) != len)) {

		cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");

		rc = -EIO;

		goto out;

	}



	smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);

	if (!smb_target) {

		rc = -ENOMEM;