setcifsacl: fix overrun of subauths array when copying SIDs

copy_sec_desc() copies the owner and group SIDs from one security
descriptor to another. Unfortunately, it doesn't take into account the
fact that these are variable length and routinely overruns the SID
structure when doing this copy and scribbles over the destination ACL.

This wasn't noticed before the change in the maximum number of subauths
because the code either overwrote the damage afterward, or the overrun
part was the same between source and destination anyway. Now that the
max number of subauths is 15, it's more noticable.

Fix it to only copy the number of subauths that claimed in the buffer
instead.

Signed-off-by: Jeff Layton <jlayton@samba.org>

diff --git a/setcifsacl.c b/setcifsacl.c
index 23ab5b10e563775ccf3ad3ac22a37b03c2b30309..e97a35fc7c6e0a0dc47d7439e125c0cc15334211 100644 (file)
--- a/setcifsacl.c
+++ b/setcifsacl.c
@@ -78,7 +78,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
        nowner_sid_ptr->num_subauth = owner_sid_ptr->num_subauth;
        for (i = 0; i < NUM_AUTHS; i++)
                nowner_sid_ptr->authority[i] = owner_sid_ptr->authority[i];
-       for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+       for (i = 0; i < owner_sid_ptr->num_subauth; i++)
                nowner_sid_ptr->sub_auth[i] = owner_sid_ptr->sub_auth[i];
 
        /* copy group sid */
@@ -89,7 +89,7 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd,
        ngroup_sid_ptr->num_subauth = group_sid_ptr->num_subauth;
        for (i = 0; i < NUM_AUTHS; i++)
                ngroup_sid_ptr->authority[i] = group_sid_ptr->authority[i];
-       for (i = 0; i < SID_MAX_SUB_AUTHORITIES; i++)
+       for (i = 0; i < group_sid_ptr->num_subauth; i++)
                ngroup_sid_ptr->sub_auth[i] = group_sid_ptr->sub_auth[i];
 
        return;