1From 007c07fd91b6d42f8bd45187cf78ebb06801139d Mon Sep 17 00:00:00 2001 2From: Jeffrey Bencteux <jbe@improsec.com> 3Date: Thu, 17 Mar 2022 12:58:52 -0400 4Subject: [PATCH] CVE-2022-27239: mount.cifs: fix length check for ip option 5 parsing 6 7Previous check was true whatever the length of the input string was, 8leading to a buffer overflow in the subsequent strcpy call. 9 10Bug: https://bugzilla.samba.org/show_bug.cgi?id=15025 11 12Signed-off-by: Jeffrey Bencteux <jbe@improsec.com> 13Reviewed-by: David Disseldorp <ddiss@suse.de> 14 15Upstream-Status: Backport [ https://git.samba.org/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d] 16CVE: CVE-2022-27239 17Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> 18--- 19 mount.cifs.c | 5 +++-- 20 1 file changed, 3 insertions(+), 2 deletions(-) 21 22diff --git a/mount.cifs.c b/mount.cifs.c 23index 84274c9..3a6b449 100644 24--- a/mount.cifs.c 25+++ b/mount.cifs.c 26@@ -926,9 +926,10 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info) 27 if (!value || !*value) { 28 fprintf(stderr, 29 "target ip address argument missing\n"); 30- } else if (strnlen(value, MAX_ADDRESS_LEN) <= 31+ } else if (strnlen(value, MAX_ADDRESS_LEN) < 32 MAX_ADDRESS_LEN) { 33- strcpy(parsed_info->addrlist, value); 34+ strlcpy(parsed_info->addrlist, value, 35+ MAX_ADDRESS_LEN); 36 if (parsed_info->verboseflag) 37 fprintf(stderr, 38 "ip address %s override specified\n", 39-- 402.34.1 41