[hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] hfs: add sanity check for file name length

Andy Whitcroft apw at canonical.com
Thu Nov 24 17:50:54 UTC 2011


From: Dan Carpenter <dan.carpenter at oracle.com>

On a corrupted file system the ->len field could be wrong leading to
a buffer overflow.

Reported-and-acked-by: Clement LECIGNE <clement.lecigne at netasq.com>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Cc: stable at kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

(cherry picked from commit bc5b8a9003132ae44559edd63a1623b7b99dfb68)
CVE-2011-4330
BugLink: http://bugs.launchpad.net/bugs/894374
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 fs/hfs/trans.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
index e673a88..b1ce4c7 100644
--- a/fs/hfs/trans.c
+++ b/fs/hfs/trans.c
@@ -40,6 +40,8 @@ int hfs_mac2asc(struct super_block *sb, char *out, const struct hfs_name *in)
 
 	src = in->name;
 	srclen = in->len;
+	if (srclen > HFS_NAMELEN)
+		srclen = HFS_NAMELEN;
 	dst = out;
 	dstlen = HFS_MAX_NAMELEN;
 	if (nls_io) {
-- 
1.7.5.4




More information about the kernel-team mailing list