Patchwork 9p: strlen() doesn't count the terminator

login
register
mail settings
Submitter Dan Carpenter
Date July 10, 2010, 9:51 a.m.
Message ID <20100710095154.GU19184@bicker>
Download mbox | patch
Permalink /patch/58467/
State Accepted
Delegated to: David Miller
Headers show

Comments

Dan Carpenter - July 10, 2010, 9:51 a.m.
This is an off by one bug because strlen() doesn't count the NULL
terminator.  We strcpy() addr into a fixed length array of size
UNIX_PATH_MAX later on.

The addr variable is the name of the device being mounted.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Andrew Morton - July 12, 2010, 8:04 p.m.
On Sat, 10 Jul 2010 11:51:54 +0200
Dan Carpenter <error27@gmail.com> wrote:

> This is an off by one bug because strlen() doesn't count the NULL
> terminator.  We strcpy() addr into a fixed length array of size
> UNIX_PATH_MAX later on.
> 
> The addr variable is the name of the device being mounted.
> 
> CC: stable@kernel.org
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 
> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> index 98ce9bc..c85109d 100644
> --- a/net/9p/trans_fd.c
> +++ b/net/9p/trans_fd.c
> @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
>  
>  	csocket = NULL;
>  
> -	if (strlen(addr) > UNIX_PATH_MAX) {
> +	if (strlen(addr) >= UNIX_PATH_MAX) {
>  		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
>  			addr);
>  		return -ENAMETOOLONG;

This bug doesn't strike me as serious enough to warrant backporting the fix
into -stable.  What was your thinking there?

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dan Carpenter - July 12, 2010, 9:51 p.m.
On Mon, Jul 12, 2010 at 01:04:58PM -0700, Andrew Morton wrote:
> > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> > index 98ce9bc..c85109d 100644
> > --- a/net/9p/trans_fd.c
> > +++ b/net/9p/trans_fd.c
> > @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
> >  
> >  	csocket = NULL;
> >  
> > -	if (strlen(addr) > UNIX_PATH_MAX) {
> > +	if (strlen(addr) >= UNIX_PATH_MAX) {
> >  		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
> >  			addr);
> >  		return -ENAMETOOLONG;
> 
> This bug doesn't strike me as serious enough to warrant backporting the fix
> into -stable.  What was your thinking there?

I don't feel strongly about it.  It's safe enough and it applies
cleanly.  On the other hand, root should always control the name of the
device to mount so it's not a big deal.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - July 13, 2010, 3:34 a.m.
From: Andrew Morton <akpm@linux-foundation.org>
Date: Mon, 12 Jul 2010 13:04:58 -0700

> This bug doesn't strike me as serious enough to warrant backporting the fix
> into -stable.  What was your thinking there?

Meanwhile I'll queue this up to net-next-2.6, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 98ce9bc..c85109d 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -948,7 +948,7 @@  p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
 
 	csocket = NULL;
 
-	if (strlen(addr) > UNIX_PATH_MAX) {
+	if (strlen(addr) >= UNIX_PATH_MAX) {
 		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
 			addr);
 		return -ENAMETOOLONG;