commit a065c177dfc8f968775593ba00dffafeebb2e054
Author: Jeff Layton <jlayton@redhat.com>
Date:   Tue Jan 26 08:15:41 2010 -0500

    mount.cifs: check for invalid characters in device name and mountpoint
    
    It's apparently possible to corrupt the mtab if you pass embedded
    newlines to addmntent. Apparently tabs are also a problem with certain
    earlier glibc versions. Backslashes are also a minor issue apparently,
    but we can't reasonably filter those.
    
    Make sure that neither the devname or mountpoint contain any problematic
    characters before allowing the mount to proceed.
    
    Signed-off-by: Jeff Layton <jlayton@redhat.com>

Index: source3/client/mount.cifs.c
===================================================================
--- source3/client/mount.cifs.c.orig
+++ source3/client/mount.cifs.c
@@ -1043,6 +1043,36 @@ static void print_cifs_mount_version(voi
 		MOUNT_CIFS_VENDOR_SUFFIX);
 }
 
+/*
+ * This function borrowed from fuse-utils...
+ *
+ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
+ * newlines embedded within the text fields. To make sure no one corrupts
+ * the mtab, fail the mount if there are embedded newlines.
+ */
+static int check_newline(const char *progname, const char *name)
+{
+    char *s;
+    for (s = "\n"; *s; s++) {
+        if (strchr(name, *s)) {
+            fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
+                    progname, *s);
+            return EX_USAGE;
+        }
+    }
+    return 0;
+}
+
+static int check_mtab(const char *progname, const char *devname,
+			const char *dir)
+{
+	if (check_newline(progname, devname) == -1 ||
+	    check_newline(progname, dir) == -1)
+		return EX_USAGE;
+	return 0;
+}
+
+
 int main(int argc, char ** argv)
 {
 	int c;
@@ -1463,6 +1493,10 @@ mount_retry:
 	if (verboseflag)
 		fprintf(stderr, "\n");
 
+	rc = check_mtab(thisprogram, dev_name, mountpoint);
+	if (rc)
+		goto mount_exit;
+
 	if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
 		switch (errno) {
 		case ECONNREFUSED:
