[hardy CVE 1/2] befs: ensure fast symlinks are NUL-terminated
Andy Whitcroft
apw at canonical.com
Tue Sep 13 15:21:24 UTC 2011
From: Duane Griffin <duaneg at dghda.com>
Ensure fast symlink targets are NUL-terminated, even if corrupted
on-disk.
Cc: Sergey S. Kostyliov <rathamahata at php4.ru>
Signed-off-by: Duane Griffin <duaneg at dghda.com>
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
(cherry picked from commit 7df5fa06de89a4ac311957e0cb9c1d87552b4325)
CVE-2011-2928
BugLink: http://bugs.launchpad.net/bugs/834124
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
fs/befs/linuxvfs.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index b28a20e..2c7fa86 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -371,7 +371,8 @@ befs_read_inode(struct inode *inode)
inode->i_size = 0;
inode->i_blocks = befs_sb->block_size / VFS_BLOCK_SIZE;
strncpy(befs_ino->i_data.symlink, raw_inode->data.symlink,
- BEFS_SYMLINK_LEN);
+ BEFS_SYMLINK_LEN - 1);
+ befs_ino->i_data.symlink[BEFS_SYMLINK_LEN - 1] = '\0';
} else {
int num_blks;
@@ -469,6 +470,8 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
kfree(link);
befs_error(sb, "Failed to read entire long symlink");
link = ERR_PTR(-EIO);
+ } else {
+ link[len - 1] = '\0';
}
} else {
link = befs_ino->i_data.symlink;
--
1.7.4.1
More information about the kernel-team
mailing list