Patchwork [hardy,CVE,1/2] befs: ensure fast symlinks are NUL-terminated

login
register
mail settings
Submitter Andy Whitcroft
Date Sept. 13, 2011, 3:21 p.m.
Message ID <1315927286-24322-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/114507/
State New
Headers show

Comments

Andy Whitcroft - Sept. 13, 2011, 3:21 p.m.
From: Duane Griffin <duaneg@dghda.com>

Ensure fast symlink targets are NUL-terminated, even if corrupted
on-disk.

Cc: Sergey S. Kostyliov <rathamahata@php4.ru>
Signed-off-by: Duane Griffin <duaneg@dghda.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

(cherry picked from commit 7df5fa06de89a4ac311957e0cb9c1d87552b4325)
CVE-2011-2928
BugLink: http://bugs.launchpad.net/bugs/834124
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/befs/linuxvfs.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

Patch

diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index b28a20e..2c7fa86 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -371,7 +371,8 @@  befs_read_inode(struct inode *inode)
 		inode->i_size = 0;
 		inode->i_blocks = befs_sb->block_size / VFS_BLOCK_SIZE;
 		strncpy(befs_ino->i_data.symlink, raw_inode->data.symlink,
-			BEFS_SYMLINK_LEN);
+			BEFS_SYMLINK_LEN - 1);
+		befs_ino->i_data.symlink[BEFS_SYMLINK_LEN - 1] = '\0';
 	} else {
 		int num_blks;
 
@@ -469,6 +470,8 @@  befs_follow_link(struct dentry *dentry, struct nameidata *nd)
 			kfree(link);
 			befs_error(sb, "Failed to read entire long symlink");
 			link = ERR_PTR(-EIO);
+		} else {
+			link[len - 1] = '\0';
 		}
 	} else {
 		link = befs_ino->i_data.symlink;