CVE-2022-27239: mount.cifs: fix length check for ip option parsing

Previous check was true whatever the length of the input string was, leading to a buffer overflow in the subsequent strcpy call. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 Signed-off-by: Jeffrey Bencteux <jbe@improsec.com> Reviewed-by: David Disseldorp <ddiss@suse.de>
author: Jeffrey Bencteux <jbe@improsec.com> 2022-03-17 12:58:52 -0400
committer: Pavel Shilovsky <piastryyy@gmail.com> 2022-04-26 17:07:40 -0700
commit: 007c07fd91b6d42f8bd45187cf78ebb06801139d (patch)
tree: 001b60b8523824fb1f0b55f6d9c8d221a0122b6f /mount.cifs.c
parent: 8c06dce7d596e478c20bc54bdcec87ad97f80a1b (diff)
download: cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.tar.gz
cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.tar.bz2
cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/mount.cifs.c b/mount.cifs.c
index 84274c9..3a6b449 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
 			if (!value || !*value) {
 				fprintf(stderr,
 					"target ip address argument missing\n");
-			} else if (strnlen(value, MAX_ADDRESS_LEN) <=
+			} else if (strnlen(value, MAX_ADDRESS_LEN) <
 				MAX_ADDRESS_LEN) {
-				strcpy(parsed_info->addrlist, value);
+				strlcpy(parsed_info->addrlist, value,
+					MAX_ADDRESS_LEN);
 				if (parsed_info->verboseflag)
 					fprintf(stderr,
 						"ip address %s override specified\n",
author	Jeffrey Bencteux <jbe@improsec.com>	2022-03-17 12:58:52 -0400
committer	Pavel Shilovsky <piastryyy@gmail.com>	2022-04-26 17:07:40 -0700
commit	007c07fd91b6d42f8bd45187cf78ebb06801139d (patch)
tree	001b60b8523824fb1f0b55f6d9c8d221a0122b6f /mount.cifs.c
parent	8c06dce7d596e478c20bc54bdcec87ad97f80a1b (diff)
download	cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.tar.gz cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.tar.bz2 cifs-utils-007c07fd91b6d42f8bd45187cf78ebb06801139d.zip