From: Roel Kluin Date: Tue, 22 Sep 2009 23:43:28 +0000 (-0700) Subject: smbfs: read buffer overflow X-Git-Tag: firefly_0821_release~12688 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ca976c53de0c33160083d36f70bd18d7970f6969;p=firefly-linux-kernel-4.4.55.git smbfs: read buffer overflow This function uses signed integers for the unix_date and local variables - if a negative number is supplied and the leap-year condition is not met, month will be 0, leading to a read of day_n[-1] Signed-off-by: Roel Kluin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/smbfs/proc.c b/fs/smbfs/proc.c index 9468168b9af5..71c29b6670b4 100644 --- a/fs/smbfs/proc.c +++ b/fs/smbfs/proc.c @@ -509,7 +509,7 @@ date_unix2dos(struct smb_sb_info *server, month = 2; } else { nl_day = (year & 3) || day <= 59 ? day : day - 1; - for (month = 0; month < 12; month++) + for (month = 1; month < 12; month++) if (day_n[month] > nl_day) break; }