Patchwork [hardy,CVE,2/2] befs: Validate length of long symbolic links.

login
register
mail settings
Submitter Andy Whitcroft
Date Sept. 13, 2011, 3:21 p.m.
Message ID <1315927286-24322-3-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/114505/
State New
Headers show

Comments

Andy Whitcroft - Sept. 13, 2011, 3:21 p.m.
From: Timo Warns <Warns@pre-sense.de>

Signed-off-by: Timo Warns <warns@pre-sense.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2)
CVE-2011-2928
BugLink: http://bugs.launchpad.net/bugs/834124
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/befs/linuxvfs.c |   23 ++++++++++++++---------
 1 files changed, 14 insertions(+), 9 deletions(-)

Patch

diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index 2c7fa86..242e0d7 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -461,17 +461,22 @@  befs_follow_link(struct dentry *dentry, struct nameidata *nd)
 		befs_data_stream *data = &befs_ino->i_data.ds;
 		befs_off_t len = data->size;
 
-		befs_debug(sb, "Follow long symlink");
-
-		link = kmalloc(len, GFP_NOFS);
-		if (!link) {
-			link = ERR_PTR(-ENOMEM);
-		} else if (befs_read_lsymlink(sb, data, link, len) != len) {
-			kfree(link);
-			befs_error(sb, "Failed to read entire long symlink");
+		if (len == 0) {
+			befs_error(sb, "Long symlink with illegal length");
 			link = ERR_PTR(-EIO);
 		} else {
-			link[len - 1] = '\0';
+			befs_debug(sb, "Follow long symlink");
+
+			link = kmalloc(len, GFP_NOFS);
+			if (!link) {
+				link = ERR_PTR(-ENOMEM);
+			} else if (befs_read_lsymlink(sb, data, link, len) != len) {
+				kfree(link);
+				befs_error(sb, "Failed to read entire long symlink");
+				link = ERR_PTR(-EIO);
+			} else {
+				link[len - 1] = '\0';
+			}
 		}
 	} else {
 		link = befs_ino->i_data.symlink;