cifs: Validate content of native symlink

Check that path buffer has correct length (it is non-zero and in UNICODE
mode it has even number of bytes) and check that buffer does not contain
null character (UTF-16 null codepoint in UNICODE mode or null byte in
non-unicode mode) because Linux cannot process symlink with null byte.

Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index f74d0a8..f563fd3 100644 (file)
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -547,6 +547,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
        int rc;
        int i;
 
+       /* Check that length it valid for unicode/non-unicode mode */
+       if (!len || (unicode && (len % 2))) {
+               cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+               rc = -EIO;
+               goto out;
+       }
+
+       /*
+        * Check that buffer does not contain UTF-16 null codepoint in unicode
+        * mode or null byte in non-unicode mode because Linux cannot process
+        * symlink with null byte.
+        */
+       if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||
+           (!unicode && strnlen(buf, len) != len)) {
+               cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");
+               rc = -EIO;
+               goto out;
+       }
+
        smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);
        if (!smb_target) {
                rc = -ENOMEM;