From ca976c53de0c33160083d36f70bd18d7970f6969 Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Tue, 22 Sep 2009 16:43:28 -0700 Subject: smbfs: read buffer overflow This function uses signed integers for the unix_date and local variables - if a negative number is supplied and the leap-year condition is not met, month will be 0, leading to a read of day_n[-1] Signed-off-by: Roel Kluin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/smbfs/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fs/smbfs') diff --git a/fs/smbfs/proc.c b/fs/smbfs/proc.c index 9468168b9af..71c29b6670b 100644 --- a/fs/smbfs/proc.c +++ b/fs/smbfs/proc.c @@ -509,7 +509,7 @@ date_unix2dos(struct smb_sb_info *server, month = 2; } else { nl_day = (year & 3) || day <= 59 ? day : day - 1; - for (month = 0; month < 12; month++) + for (month = 1; month < 12; month++) if (day_n[month] > nl_day) break; } -- cgit v1.2.3