Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '5.3-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
"A few small SMB3 fixes, and a larger one to fix various older string
handling functions"

* tag '5.3-rc6-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: update internal module number
cifs: replace various strncpy with strscpy and similar
cifs: Use kzfree() to zero out the password
cifs: set domainName when a domain-key is used in multiuser

+135 -147
+1 -1
fs/cifs/cifsfs.h
··· 152 152 extern const struct export_operations cifs_export_ops; 153 153 #endif /* CONFIG_CIFS_NFSD_EXPORT */ 154 154 155 - #define CIFS_VERSION "2.21" 155 + #define CIFS_VERSION "2.22" 156 156 #endif /* _CIFSFS_H */
+1
fs/cifs/cifsproto.h
··· 579 579 unsigned int *len, unsigned int *offset); 580 580 581 581 void extract_unc_hostname(const char *unc, const char **h, size_t *len); 582 + int copy_path_name(char *dst, const char *src); 582 583 583 584 #ifdef CONFIG_CIFS_DFS_UPCALL 584 585 static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses,
+65 -132
fs/cifs/cifssmb.c
··· 942 942 PATH_MAX, nls_codepage, remap); 943 943 name_len++; /* trailing null */ 944 944 name_len *= 2; 945 - } else { /* BB add path length overrun check */ 946 - name_len = strnlen(fileName, PATH_MAX); 947 - name_len++; /* trailing null */ 948 - strncpy(pSMB->FileName, fileName, name_len); 945 + } else { 946 + name_len = copy_path_name(pSMB->FileName, fileName); 949 947 } 950 948 951 949 params = 6 + name_len; ··· 1013 1015 remap); 1014 1016 name_len++; /* trailing null */ 1015 1017 name_len *= 2; 1016 - } else { /* BB improve check for buffer overruns BB */ 1017 - name_len = strnlen(name, PATH_MAX); 1018 - name_len++; /* trailing null */ 1019 - strncpy(pSMB->fileName, name, name_len); 1018 + } else { 1019 + name_len = copy_path_name(pSMB->fileName, name); 1020 1020 } 1021 1021 pSMB->SearchAttributes = 1022 1022 cpu_to_le16(ATTR_READONLY | ATTR_HIDDEN | ATTR_SYSTEM); ··· 1058 1062 remap); 1059 1063 name_len++; /* trailing null */ 1060 1064 name_len *= 2; 1061 - } else { /* BB improve check for buffer overruns BB */ 1062 - name_len = strnlen(name, PATH_MAX); 1063 - name_len++; /* trailing null */ 1064 - strncpy(pSMB->DirName, name, name_len); 1065 + } else { 1066 + name_len = copy_path_name(pSMB->DirName, name); 1065 1067 } 1066 1068 1067 1069 pSMB->BufferFormat = 0x04; ··· 1101 1107 remap); 1102 1108 name_len++; /* trailing null */ 1103 1109 name_len *= 2; 1104 - } else { /* BB improve check for buffer overruns BB */ 1105 - name_len = strnlen(name, PATH_MAX); 1106 - name_len++; /* trailing null */ 1107 - strncpy(pSMB->DirName, name, name_len); 1110 + } else { 1111 + name_len = copy_path_name(pSMB->DirName, name); 1108 1112 } 1109 1113 1110 1114 pSMB->BufferFormat = 0x04; ··· 1149 1157 PATH_MAX, nls_codepage, remap); 1150 1158 name_len++; /* trailing null */ 1151 1159 name_len *= 2; 1152 - } else { /* BB improve the check for buffer overruns BB */ 1153 - name_len = strnlen(name, PATH_MAX); 1154 - name_len++; /* trailing null */ 1155 - strncpy(pSMB->FileName, name, name_len); 1160 + } else { 1161 + name_len = copy_path_name(pSMB->FileName, name); 1156 1162 } 1157 1163 1158 1164 params = 6 + name_len; ··· 1314 1324 fileName, PATH_MAX, nls_codepage, remap); 1315 1325 name_len++; /* trailing null */ 1316 1326 name_len *= 2; 1317 - } else { /* BB improve check for buffer overruns BB */ 1327 + } else { 1318 1328 count = 0; /* no pad */ 1319 - name_len = strnlen(fileName, PATH_MAX); 1320 - name_len++; /* trailing null */ 1321 - strncpy(pSMB->fileName, fileName, name_len); 1329 + name_len = copy_path_name(pSMB->fileName, fileName); 1322 1330 } 1323 1331 if (*pOplock & REQ_OPLOCK) 1324 1332 pSMB->OpenFlags = cpu_to_le16(REQ_OPLOCK); ··· 1430 1442 /* BB improve check for buffer overruns BB */ 1431 1443 /* no pad */ 1432 1444 count = 0; 1433 - name_len = strnlen(path, PATH_MAX); 1434 - /* trailing null */ 1435 - name_len++; 1445 + name_len = copy_path_name(req->fileName, path); 1436 1446 req->NameLength = cpu_to_le16(name_len); 1437 - strncpy(req->fileName, path, name_len); 1438 1447 } 1439 1448 1440 1449 if (*oplock & REQ_OPLOCK) ··· 2797 2812 remap); 2798 2813 name_len2 += 1 /* trailing null */ + 1 /* Signature word */ ; 2799 2814 name_len2 *= 2; /* convert to bytes */ 2800 - } else { /* BB improve the check for buffer overruns BB */ 2801 - name_len = strnlen(from_name, PATH_MAX); 2802 - name_len++; /* trailing null */ 2803 - strncpy(pSMB->OldFileName, from_name, name_len); 2804 - name_len2 = strnlen(to_name, PATH_MAX); 2805 - name_len2++; /* trailing null */ 2815 + } else { 2816 + name_len = copy_path_name(pSMB->OldFileName, from_name); 2817 + name_len2 = copy_path_name(pSMB->OldFileName+name_len+1, to_name); 2806 2818 pSMB->OldFileName[name_len] = 0x04; /* 2nd buffer format */ 2807 - strncpy(&pSMB->OldFileName[name_len + 1], to_name, name_len2); 2808 - name_len2++; /* trailing null */ 2809 2819 name_len2++; /* signature byte */ 2810 2820 } 2811 2821 ··· 2942 2962 toName, PATH_MAX, nls_codepage, remap); 2943 2963 name_len2 += 1 /* trailing null */ + 1 /* Signature word */ ; 2944 2964 name_len2 *= 2; /* convert to bytes */ 2945 - } else { /* BB improve the check for buffer overruns BB */ 2946 - name_len = strnlen(fromName, PATH_MAX); 2947 - name_len++; /* trailing null */ 2948 - strncpy(pSMB->OldFileName, fromName, name_len); 2949 - name_len2 = strnlen(toName, PATH_MAX); 2950 - name_len2++; /* trailing null */ 2965 + } else { 2966 + name_len = copy_path_name(pSMB->OldFileName, fromName); 2951 2967 pSMB->OldFileName[name_len] = 0x04; /* 2nd buffer format */ 2952 - strncpy(&pSMB->OldFileName[name_len + 1], toName, name_len2); 2953 - name_len2++; /* trailing null */ 2968 + name_len2 = copy_path_name(pSMB->OldFileName+name_len+1, toName); 2954 2969 name_len2++; /* signature byte */ 2955 2970 } 2956 2971 ··· 2996 3021 name_len++; /* trailing null */ 2997 3022 name_len *= 2; 2998 3023 2999 - } else { /* BB improve the check for buffer overruns BB */ 3000 - name_len = strnlen(fromName, PATH_MAX); 3001 - name_len++; /* trailing null */ 3002 - strncpy(pSMB->FileName, fromName, name_len); 3024 + } else { 3025 + name_len = copy_path_name(pSMB->FileName, fromName); 3003 3026 } 3004 3027 params = 6 + name_len; 3005 3028 pSMB->MaxSetupCount = 0; ··· 3017 3044 PATH_MAX, nls_codepage, remap); 3018 3045 name_len_target++; /* trailing null */ 3019 3046 name_len_target *= 2; 3020 - } else { /* BB improve the check for buffer overruns BB */ 3021 - name_len_target = strnlen(toName, PATH_MAX); 3022 - name_len_target++; /* trailing null */ 3023 - strncpy(data_offset, toName, name_len_target); 3047 + } else { 3048 + name_len_target = copy_path_name(data_offset, toName); 3024 3049 } 3025 3050 3026 3051 pSMB->MaxParameterCount = cpu_to_le16(2); ··· 3080 3109 name_len++; /* trailing null */ 3081 3110 name_len *= 2; 3082 3111 3083 - } else { /* BB improve the check for buffer overruns BB */ 3084 - name_len = strnlen(toName, PATH_MAX); 3085 - name_len++; /* trailing null */ 3086 - strncpy(pSMB->FileName, toName, name_len); 3112 + } else { 3113 + name_len = copy_path_name(pSMB->FileName, toName); 3087 3114 } 3088 3115 params = 6 + name_len; 3089 3116 pSMB->MaxSetupCount = 0; ··· 3100 3131 PATH_MAX, nls_codepage, remap); 3101 3132 name_len_target++; /* trailing null */ 3102 3133 name_len_target *= 2; 3103 - } else { /* BB improve the check for buffer overruns BB */ 3104 - name_len_target = strnlen(fromName, PATH_MAX); 3105 - name_len_target++; /* trailing null */ 3106 - strncpy(data_offset, fromName, name_len_target); 3134 + } else { 3135 + name_len_target = copy_path_name(data_offset, fromName); 3107 3136 } 3108 3137 3109 3138 pSMB->MaxParameterCount = cpu_to_le16(2); ··· 3180 3213 remap); 3181 3214 name_len2 += 1 /* trailing null */ + 1 /* Signature word */ ; 3182 3215 name_len2 *= 2; /* convert to bytes */ 3183 - } else { /* BB improve the check for buffer overruns BB */ 3184 - name_len = strnlen(from_name, PATH_MAX); 3185 - name_len++; /* trailing null */ 3186 - strncpy(pSMB->OldFileName, from_name, name_len); 3187 - name_len2 = strnlen(to_name, PATH_MAX); 3188 - name_len2++; /* trailing null */ 3216 + } else { 3217 + name_len = copy_path_name(pSMB->OldFileName, from_name); 3189 3218 pSMB->OldFileName[name_len] = 0x04; /* 2nd buffer format */ 3190 - strncpy(&pSMB->OldFileName[name_len + 1], to_name, name_len2); 3191 - name_len2++; /* trailing null */ 3219 + name_len2 = copy_path_name(pSMB->OldFileName+name_len+1, to_name); 3192 3220 name_len2++; /* signature byte */ 3193 3221 } 3194 3222 ··· 3233 3271 remap); 3234 3272 name_len++; /* trailing null */ 3235 3273 name_len *= 2; 3236 - } else { /* BB improve the check for buffer overruns BB */ 3237 - name_len = strnlen(searchName, PATH_MAX); 3238 - name_len++; /* trailing null */ 3239 - strncpy(pSMB->FileName, searchName, name_len); 3274 + } else { 3275 + name_len = copy_path_name(pSMB->FileName, searchName); 3240 3276 } 3241 3277 3242 3278 params = 2 /* level */ + 4 /* rsrvd */ + name_len /* incl null */ ; ··· 3651 3691 name_len *= 2; 3652 3692 pSMB->FileName[name_len] = 0; 3653 3693 pSMB->FileName[name_len+1] = 0; 3654 - } else { /* BB improve the check for buffer overruns BB */ 3655 - name_len = strnlen(searchName, PATH_MAX); 3656 - name_len++; /* trailing null */ 3657 - strncpy(pSMB->FileName, searchName, name_len); 3694 + } else { 3695 + name_len = copy_path_name(pSMB->FileName, searchName); 3658 3696 } 3659 3697 3660 3698 params = 2 /* level */ + 4 /* rsrvd */ + name_len /* incl null */ ; ··· 3734 3776 PATH_MAX, nls_codepage, remap); 3735 3777 name_len++; /* trailing null */ 3736 3778 name_len *= 2; 3737 - } else { /* BB improve the check for buffer overruns BB */ 3738 - name_len = strnlen(fileName, PATH_MAX); 3739 - name_len++; /* trailing null */ 3740 - strncpy(pSMB->FileName, fileName, name_len); 3779 + } else { 3780 + name_len = copy_path_name(pSMB->FileName, fileName); 3741 3781 } 3742 3782 params = 6 + name_len; 3743 3783 pSMB->MaxParameterCount = cpu_to_le16(2); ··· 4140 4184 name_len++; /* trailing null */ 4141 4185 name_len *= 2; 4142 4186 } else { 4143 - name_len = strnlen(search_name, PATH_MAX); 4144 - name_len++; /* trailing null */ 4145 - strncpy(pSMB->FileName, search_name, name_len); 4187 + name_len = copy_path_name(pSMB->FileName, search_name); 4146 4188 } 4147 4189 pSMB->BufferFormat = 0x04; 4148 4190 name_len++; /* account for buffer type byte */ ··· 4275 4321 PATH_MAX, nls_codepage, remap); 4276 4322 name_len++; /* trailing null */ 4277 4323 name_len *= 2; 4278 - } else { /* BB improve the check for buffer overruns BB */ 4279 - name_len = strnlen(search_name, PATH_MAX); 4280 - name_len++; /* trailing null */ 4281 - strncpy(pSMB->FileName, search_name, name_len); 4324 + } else { 4325 + name_len = copy_path_name(pSMB->FileName, search_name); 4282 4326 } 4283 4327 4284 4328 params = 2 /* level */ + 4 /* reserved */ + name_len /* includes NUL */; ··· 4442 4490 PATH_MAX, nls_codepage, remap); 4443 4491 name_len++; /* trailing null */ 4444 4492 name_len *= 2; 4445 - } else { /* BB improve the check for buffer overruns BB */ 4446 - name_len = strnlen(searchName, PATH_MAX); 4447 - name_len++; /* trailing null */ 4448 - strncpy(pSMB->FileName, searchName, name_len); 4493 + } else { 4494 + name_len = copy_path_name(pSMB->FileName, searchName); 4449 4495 } 4450 4496 4451 4497 params = 2 /* level */ + 4 /* reserved */ + name_len /* includes NUL */; ··· 4543 4593 pSMB->FileName[name_len+1] = 0; 4544 4594 name_len += 2; 4545 4595 } 4546 - } else { /* BB add check for overrun of SMB buf BB */ 4547 - name_len = strnlen(searchName, PATH_MAX); 4548 - /* BB fix here and in unicode clause above ie 4549 - if (name_len > buffersize-header) 4550 - free buffer exit; BB */ 4551 - strncpy(pSMB->FileName, searchName, name_len); 4596 + } else { 4597 + name_len = copy_path_name(pSMB->FileName, searchName); 4552 4598 if (msearch) { 4553 - pSMB->FileName[name_len] = CIFS_DIR_SEP(cifs_sb); 4554 - pSMB->FileName[name_len+1] = '*'; 4555 - pSMB->FileName[name_len+2] = 0; 4556 - name_len += 3; 4599 + if (WARN_ON_ONCE(name_len > PATH_MAX-2)) 4600 + name_len = PATH_MAX-2; 4601 + /* overwrite nul byte */ 4602 + pSMB->FileName[name_len-1] = CIFS_DIR_SEP(cifs_sb); 4603 + pSMB->FileName[name_len] = '*'; 4604 + pSMB->FileName[name_len+1] = 0; 4605 + name_len += 2; 4557 4606 } 4558 4607 } 4559 4608 ··· 4847 4898 remap); 4848 4899 name_len++; /* trailing null */ 4849 4900 name_len *= 2; 4850 - } else { /* BB improve the check for buffer overruns BB */ 4851 - name_len = strnlen(search_name, PATH_MAX); 4852 - name_len++; /* trailing null */ 4853 - strncpy(pSMB->FileName, search_name, name_len); 4901 + } else { 4902 + name_len = copy_path_name(pSMB->FileName, search_name); 4854 4903 } 4855 4904 4856 4905 params = 2 /* level */ + 4 /* rsrvd */ + name_len /* incl null */ ; ··· 4955 5008 name_len++; /* trailing null */ 4956 5009 name_len *= 2; 4957 5010 } else { /* BB improve the check for buffer overruns BB */ 4958 - name_len = strnlen(search_name, PATH_MAX); 4959 - name_len++; /* trailing null */ 4960 - strncpy(pSMB->RequestFileName, search_name, name_len); 5011 + name_len = copy_path_name(pSMB->RequestFileName, search_name); 4961 5012 } 4962 5013 4963 5014 if (ses->server->sign) ··· 5608 5663 PATH_MAX, cifs_sb->local_nls, remap); 5609 5664 name_len++; /* trailing null */ 5610 5665 name_len *= 2; 5611 - } else { /* BB improve the check for buffer overruns BB */ 5612 - name_len = strnlen(file_name, PATH_MAX); 5613 - name_len++; /* trailing null */ 5614 - strncpy(pSMB->FileName, file_name, name_len); 5666 + } else { 5667 + name_len = copy_path_name(pSMB->FileName, file_name); 5615 5668 } 5616 5669 params = 6 + name_len; 5617 5670 data_count = sizeof(struct file_end_of_file_info); ··· 5902 5959 PATH_MAX, nls_codepage, remap); 5903 5960 name_len++; /* trailing null */ 5904 5961 name_len *= 2; 5905 - } else { /* BB improve the check for buffer overruns BB */ 5906 - name_len = strnlen(fileName, PATH_MAX); 5907 - name_len++; /* trailing null */ 5908 - strncpy(pSMB->FileName, fileName, name_len); 5962 + } else { 5963 + name_len = copy_path_name(pSMB->FileName, fileName); 5909 5964 } 5910 5965 5911 5966 params = 6 + name_len; ··· 5981 6040 PATH_MAX, nls_codepage); 5982 6041 name_len++; /* trailing null */ 5983 6042 name_len *= 2; 5984 - } else { /* BB improve the check for buffer overruns BB */ 5985 - name_len = strnlen(fileName, PATH_MAX); 5986 - name_len++; /* trailing null */ 5987 - strncpy(pSMB->fileName, fileName, name_len); 6043 + } else { 6044 + name_len = copy_path_name(pSMB->fileName, fileName); 5988 6045 } 5989 6046 pSMB->attr = cpu_to_le16(dos_attrs); 5990 6047 pSMB->BufferFormat = 0x04; ··· 6142 6203 PATH_MAX, nls_codepage, remap); 6143 6204 name_len++; /* trailing null */ 6144 6205 name_len *= 2; 6145 - } else { /* BB improve the check for buffer overruns BB */ 6146 - name_len = strnlen(file_name, PATH_MAX); 6147 - name_len++; /* trailing null */ 6148 - strncpy(pSMB->FileName, file_name, name_len); 6206 + } else { 6207 + name_len = copy_path_name(pSMB->FileName, file_name); 6149 6208 } 6150 6209 6151 6210 params = 6 + name_len; ··· 6235 6298 PATH_MAX, nls_codepage, remap); 6236 6299 list_len++; /* trailing null */ 6237 6300 list_len *= 2; 6238 - } else { /* BB improve the check for buffer overruns BB */ 6239 - list_len = strnlen(searchName, PATH_MAX); 6240 - list_len++; /* trailing null */ 6241 - strncpy(pSMB->FileName, searchName, list_len); 6301 + } else { 6302 + list_len = copy_path_name(pSMB->FileName, searchName); 6242 6303 } 6243 6304 6244 6305 params = 2 /* level */ + 4 /* reserved */ + list_len /* includes NUL */; ··· 6415 6480 PATH_MAX, nls_codepage, remap); 6416 6481 name_len++; /* trailing null */ 6417 6482 name_len *= 2; 6418 - } else { /* BB improve the check for buffer overruns BB */ 6419 - name_len = strnlen(fileName, PATH_MAX); 6420 - name_len++; /* trailing null */ 6421 - strncpy(pSMB->FileName, fileName, name_len); 6483 + } else { 6484 + name_len = copy_path_name(pSMB->FileName, fileName); 6422 6485 } 6423 6486 6424 6487 params = 6 + name_len;
+27 -2
fs/cifs/connect.c
··· 2981 2981 cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) 2982 2982 { 2983 2983 int rc = 0; 2984 + int is_domain = 0; 2984 2985 const char *delim, *payload; 2985 2986 char *desc; 2986 2987 ssize_t len; ··· 3029 3028 rc = PTR_ERR(key); 3030 3029 goto out_err; 3031 3030 } 3031 + is_domain = 1; 3032 3032 } 3033 3033 3034 3034 down_read(&key->sem); ··· 3085 3083 kfree(vol->username); 3086 3084 vol->username = NULL; 3087 3085 goto out_key_put; 3086 + } 3087 + 3088 + /* 3089 + * If we have a domain key then we must set the domainName in the 3090 + * for the request. 3091 + */ 3092 + if (is_domain && ses->domainName) { 3093 + vol->domainname = kstrndup(ses->domainName, 3094 + strlen(ses->domainName), 3095 + GFP_KERNEL); 3096 + if (!vol->domainname) { 3097 + cifs_dbg(FYI, "Unable to allocate %zd bytes for " 3098 + "domain\n", len); 3099 + rc = -ENOMEM; 3100 + kfree(vol->username); 3101 + vol->username = NULL; 3102 + kzfree(vol->password); 3103 + vol->password = NULL; 3104 + goto out_key_put; 3105 + } 3088 3106 } 3089 3107 3090 3108 out_key_put: ··· 4231 4209 strlen(vol->prepath) + 1 : 0; 4232 4210 unsigned int unc_len = strnlen(vol->UNC, MAX_TREE_SIZE + 1); 4233 4211 4212 + if (unc_len > MAX_TREE_SIZE) 4213 + return ERR_PTR(-EINVAL); 4214 + 4234 4215 full_path = kmalloc(unc_len + pplen + 1, GFP_KERNEL); 4235 4216 if (full_path == NULL) 4236 4217 return ERR_PTR(-ENOMEM); 4237 4218 4238 - strncpy(full_path, vol->UNC, unc_len); 4219 + memcpy(full_path, vol->UNC, unc_len); 4239 4220 pos = full_path + unc_len; 4240 4221 4241 4222 if (pplen) { 4242 4223 *pos = CIFS_DIR_SEP(cifs_sb); 4243 - strncpy(pos + 1, vol->prepath, pplen); 4224 + memcpy(pos + 1, vol->prepath, pplen); 4244 4225 pos += pplen; 4245 4226 } 4246 4227
+2 -3
fs/cifs/dir.c
··· 69 69 return full_path; 70 70 71 71 if (dfsplen) 72 - strncpy(full_path, tcon->treeName, dfsplen); 72 + memcpy(full_path, tcon->treeName, dfsplen); 73 73 full_path[dfsplen] = CIFS_DIR_SEP(cifs_sb); 74 - strncpy(full_path + dfsplen + 1, vol->prepath, pplen); 74 + memcpy(full_path + dfsplen + 1, vol->prepath, pplen); 75 75 convert_delimiter(full_path, CIFS_DIR_SEP(cifs_sb)); 76 - full_path[dfsplen + pplen] = 0; /* add trailing null */ 77 76 return full_path; 78 77 } 79 78
+22
fs/cifs/misc.c
··· 1011 1011 *h = unc; 1012 1012 *len = end - unc; 1013 1013 } 1014 + 1015 + /** 1016 + * copy_path_name - copy src path to dst, possibly truncating 1017 + * 1018 + * returns number of bytes written (including trailing nul) 1019 + */ 1020 + int copy_path_name(char *dst, const char *src) 1021 + { 1022 + int name_len; 1023 + 1024 + /* 1025 + * PATH_MAX includes nul, so if strlen(src) >= PATH_MAX it 1026 + * will truncate and strlen(dst) will be PATH_MAX-1 1027 + */ 1028 + name_len = strscpy(dst, src, PATH_MAX); 1029 + if (WARN_ON_ONCE(name_len < 0)) 1030 + name_len = PATH_MAX-1; 1031 + 1032 + /* we count the trailing nul */ 1033 + name_len++; 1034 + return name_len; 1035 + }
+17 -9
fs/cifs/sess.c
··· 159 159 const struct nls_table *nls_cp) 160 160 { 161 161 char *bcc_ptr = *pbcc_area; 162 + int len; 162 163 163 164 /* copy user */ 164 165 /* BB what about null user mounts - check that we do this BB */ 165 166 /* copy user */ 166 167 if (ses->user_name != NULL) { 167 - strncpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 168 - bcc_ptr += strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN); 168 + len = strscpy(bcc_ptr, ses->user_name, CIFS_MAX_USERNAME_LEN); 169 + if (WARN_ON_ONCE(len < 0)) 170 + len = CIFS_MAX_USERNAME_LEN - 1; 171 + bcc_ptr += len; 169 172 } 170 173 /* else null user mount */ 171 174 *bcc_ptr = 0; ··· 176 173 177 174 /* copy domain */ 178 175 if (ses->domainName != NULL) { 179 - strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 180 - bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 176 + len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); 177 + if (WARN_ON_ONCE(len < 0)) 178 + len = CIFS_MAX_DOMAINNAME_LEN - 1; 179 + bcc_ptr += len; 181 180 } /* else we will send a null domain name 182 181 so the server will default to its own domain */ 183 182 *bcc_ptr = 0; ··· 247 242 248 243 kfree(ses->serverOS); 249 244 250 - ses->serverOS = kzalloc(len + 1, GFP_KERNEL); 245 + ses->serverOS = kmalloc(len + 1, GFP_KERNEL); 251 246 if (ses->serverOS) { 252 - strncpy(ses->serverOS, bcc_ptr, len); 247 + memcpy(ses->serverOS, bcc_ptr, len); 248 + ses->serverOS[len] = 0; 253 249 if (strncmp(ses->serverOS, "OS/2", 4) == 0) 254 250 cifs_dbg(FYI, "OS/2 server\n"); 255 251 } ··· 264 258 265 259 kfree(ses->serverNOS); 266 260 267 - ses->serverNOS = kzalloc(len + 1, GFP_KERNEL); 268 - if (ses->serverNOS) 269 - strncpy(ses->serverNOS, bcc_ptr, len); 261 + ses->serverNOS = kmalloc(len + 1, GFP_KERNEL); 262 + if (ses->serverNOS) { 263 + memcpy(ses->serverNOS, bcc_ptr, len); 264 + ses->serverNOS[len] = 0; 265 + } 270 266 271 267 bcc_ptr += len + 1; 272 268 bleft -= len + 1;