Patchwork [3.5.y.z,extended,stable] Patch "cifs: fix potential buffer overrun when composing a new" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 31, 2013, 10:59 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/247920/
State New
Headers show


Luis Henriques - May 31, 2013, 10:59 a.m.
This is a note to let you know that I have just added a patch titled

    cifs: fix potential buffer overrun when composing a new

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 0f96d5e603e071122d162a013067a76402081747 Mon Sep 17 00:00:00 2001
From: Jeff Layton <>
Date: Fri, 24 May 2013 07:40:04 -0400
Subject: [PATCH] cifs: fix potential buffer overrun when composing a new
 options string

commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream.

Consider the case where we have a very short ip= string in the original
mount options, and when we chase a referral we end up with a very long
IPv6 address. Be sure to allow for that possibility when estimating the
size of the string to allocate.

Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
Signed-off-by: Luis Henriques <>
 fs/cifs/cifs_dfs_ref.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)



diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index 2263144..d0e5fc5 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -18,6 +18,7 @@ 
 #include <linux/slab.h>
 #include <linux/vfs.h>
 #include <linux/fs.h>
+#include <linux/inet.h>
 #include "cifsglob.h"
 #include "cifsproto.h"
 #include "cifsfs.h"
@@ -150,7 +151,8 @@  char *cifs_compose_mount_options(const char *sb_mountdata,
 	 * assuming that we have 'unc=' and 'ip=' in
 	 * the original sb_mountdata
-	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
+	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
 	mountdata = kzalloc(md_len+1, GFP_KERNEL);
 	if (mountdata == NULL) {
 		rc = -ENOMEM;