From patchwork Thu Nov 24 17:50:54 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty,
 natty/ti-omap4, CVE, 1/1] hfs: add sanity check for file name length
Date: Thu, 24 Nov 2011 07:50:54 -0000
From: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 127595
Message-Id: <1322157054-27754-2-git-send-email-apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Cc: Andy Whitcroft <apw@canonical.com>

From: Dan Carpenter <dan.carpenter@oracle.com>

On a corrupted file system the ->len field could be wrong leading to
a buffer overflow.

Reported-and-acked-by: Clement LECIGNE <clement.lecigne@netasq.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit bc5b8a9003132ae44559edd63a1623b7b99dfb68)
CVE-2011-4330
BugLink: http://bugs.launchpad.net/bugs/894374
Signed-off-by: Andy Whitcroft <apw@canonical.com>

---
fs/hfs/trans.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
index e673a88..b1ce4c7 100644
--- a/fs/hfs/trans.c
+++ b/fs/hfs/trans.c
@@ -40,6 +40,8 @@ int hfs_mac2asc(struct super_block *sb, char *out, const struct hfs_name *in)
 
 	src = in->name;
 	srclen = in->len;
+	if (srclen > HFS_NAMELEN)
+		srclen = HFS_NAMELEN;
 	dst = out;
 	dstlen = HFS_MAX_NAMELEN;
 	if (nls_io) {