[lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4, oneiric/ti-omap4 CVE 1/1] befs: Validate length of long symbolic links.

[Andy Whitcroft]

From: Timo Warns <Warns at pre-sense.de>

Signed-off-by: Timo Warns <warns at pre-sense.de>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

(cherry picked from commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2)
CVE-2011-2928
BugLink: http://bugs.launchpad.net/bugs/834124
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 fs/befs/linuxvfs.c |   23 ++++++++++++++---------
 1 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index 615d549..429ea55 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -469,17 +469,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
 		befs_data_stream *data = &befs_ino->i_data.ds;
 		befs_off_t len = data->size;
 
-		befs_debug(sb, "Follow long symlink");
-
-		link = kmalloc(len, GFP_NOFS);
-		if (!link) {
-			link = ERR_PTR(-ENOMEM);
-		} else if (befs_read_lsymlink(sb, data, link, len) != len) {
-			kfree(link);
-			befs_error(sb, "Failed to read entire long symlink");
+		if (len == 0) {
+			befs_error(sb, "Long symlink with illegal length");
 			link = ERR_PTR(-EIO);
 		} else {
-			link[len - 1] = '\0';
+			befs_debug(sb, "Follow long symlink");
+
+			link = kmalloc(len, GFP_NOFS);
+			if (!link) {
+				link = ERR_PTR(-ENOMEM);
+			} else if (befs_read_lsymlink(sb, data, link, len) != len) {
+				kfree(link);
+				befs_error(sb, "Failed to read entire long symlink");
+				link = ERR_PTR(-EIO);
+			} else {
+				link[len - 1] = '\0';
+			}
 		}
 	} else {
 		link = befs_ino->i_data.symlink;
-- 
1.7.4.1