diff options
author | Miklos Szeredi <mszeredi@redhat.com> | 2016-09-01 12:12:00 +0300 |
---|---|---|
committer | Miklos Szeredi <mszeredi@redhat.com> | 2016-09-01 12:12:00 +0300 |
commit | 7cb35119d067191ce9ebc380a599db0b03cbd9d9 (patch) | |
tree | 15168c61d1f884399b4acdb81eb19092e43b453b /fs/overlayfs | |
parent | 0eb45fc3bb7a2cf9c9c93d9e95986a841e5f4625 (diff) | |
download | linux-7cb35119d067191ce9ebc380a599db0b03cbd9d9.tar.xz |
ovl: listxattr: use strnlen()
Be defensive about what underlying fs provides us in the returned xattr
list buffer. If it's not properly null terminated, bail out with a warning
insead of BUG.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org>
Diffstat (limited to 'fs/overlayfs')
-rw-r--r-- | fs/overlayfs/inode.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 1878591f6a2d..c75625c1efa3 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -255,7 +255,8 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) { struct dentry *realdentry = ovl_dentry_real(dentry); ssize_t res; - int off; + size_t len; + char *s; const struct cred *old_cred; old_cred = ovl_override_creds(dentry->d_sb); @@ -265,17 +266,19 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) return res; /* filter out private xattrs */ - for (off = 0; off < res;) { - char *s = list + off; - size_t slen = strlen(s) + 1; + for (s = list, len = res; len;) { + size_t slen = strnlen(s, len) + 1; - BUG_ON(off + slen > res); + /* underlying fs providing us with an broken xattr list? */ + if (WARN_ON(slen > len)) + return -EIO; + len -= slen; if (ovl_is_private_xattr(s)) { res -= slen; - memmove(s, s + slen, res - off); + memmove(s, s + slen, len); } else { - off += slen; + s += slen; } } |