Commit ca976c53 authored by Roel Kluin's avatar Roel Kluin Committed by Linus Torvalds

smbfs: read buffer overflow

This function uses signed integers for the unix_date and local variables -
if a negative number is supplied and the leap-year condition is not met,
month will be 0, leading to a read of day_n[-1]
Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent fa081b00
...@@ -509,7 +509,7 @@ date_unix2dos(struct smb_sb_info *server, ...@@ -509,7 +509,7 @@ date_unix2dos(struct smb_sb_info *server,
month = 2; month = 2;
} else { } else {
nl_day = (year & 3) || day <= 59 ? day : day - 1; nl_day = (year & 3) || day <= 59 ? day : day - 1;
for (month = 0; month < 12; month++) for (month = 1; month < 12; month++)
if (day_n[month] > nl_day) if (day_n[month] > nl_day)
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment