diff options
| author | Jeff Layton <jlayton@samba.org> | 2012-11-07 10:19:14 -0500 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2012-11-07 10:19:14 -0500 |
| commit | c8cd10850eeac03dc21679c19859d5e2fd3d861f (patch) | |
| tree | 4675847c67dfb9eaafc21b97d5b08022cc319071 /setcifsacl.c | |
| parent | f0269e2a0efacf5299b123801d9ec49695ed30b6 (diff) | |
| download | cifs-utils-c8cd10850eeac03dc21679c19859d5e2fd3d861f.tar.gz cifs-utils-c8cd10850eeac03dc21679c19859d5e2fd3d861f.tar.bz2 cifs-utils-c8cd10850eeac03dc21679c19859d5e2fd3d861f.zip | |
setcifsacl: fix overrun of subauths array when copying SIDs
copy_sec_desc() copies the owner and group SIDs from one security
descriptor to another. Unfortunately, it doesn't take into account the
fact that these are variable length and routinely overruns the SID
structure when doing this copy and scribbles over the destination ACL.
This wasn't noticed before the change in the maximum number of subauths
because the code either overwrote the damage afterward, or the overrun
part was the same between source and destination anyway. Now that the
max number of subauths is 15, it's more noticable.
Fix it to only copy the number of subauths that claimed in the buffer
instead.
Signed-off-by: Jeff Layton <jlayton@samba.org>
Diffstat (limited to 'setcifsacl.c')
| -rw-r--r-- | setcifsacl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/setcifsacl.c b/setcifsacl.c index 23ab5b1..e97a35f 100644 --- a/setcifsacl.c +++ b/setcifsacl.c @@ -78,7 +78,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth; for (i = 0; i < NUM_AUTHS; i++) nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i]; - for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) + for (i = 0; i < owner_sid_ptr->num_subauth; i++) nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i]; /* copy group sid */ @@ -89,7 +89,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth; for (i = 0; i < NUM_AUTHS; i++) ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i]; - for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++) + for (i = 0; i < group_sid_ptr->num_subauth; i++) ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i]; return; |