cifs: Validate content of native symlink

Check that path buffer has correct length (it is non-zero and in UNICODE
mode it has even number of bytes) and check that buffer does not contain
null character (UTF-16 null codepoint in UNICODE mode or null byte in
non-unicode mode) because Linux cannot process symlink with null byte.

Signed-off-by: Pali Rohár <[email protected]>
Signed-off-by: Steve French <[email protected]>

Author: pali

fs/smb/client/reparse.c

@@ -547,6 +547,25 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
 	int rc;
 	int i;
 
+	/* Check that length it valid for unicode/non-unicode mode */
+	if (!len || (unicode && (len % 2))) {
+		cifs_dbg(VFS, "srv returned malformed symlink buffer\n");
+		rc = -EIO;
+		goto out;
+	}
+
+	/*
+	 * Check that buffer does not contain UTF-16 null codepoint in unicode
+	 * mode or null byte in non-unicode mode because Linux cannot process
+	 * symlink with null byte.
+	 */
+	if ((unicode && UniStrnlen((wchar_t *)buf, len/2) != len/2) ||
+	    (!unicode && strnlen(buf, len) != len)) {
+		cifs_dbg(VFS, "srv returned null byte in native symlink target location\n");
+		rc = -EIO;
+		goto out;
+	}
+
 	smb_target = cifs_strndup_from_utf16(buf, len, unicode, cifs_sb->local_nls);
 	if (!smb_target) {
 		rc = -ENOMEM;