summaryrefslogtreecommitdiff
path: root/fs/fuse
diff options
context:
space:
mode:
authorMiklos Szeredi <mszeredi@suse.cz>2011-08-24 12:20:17 +0400
committerMiklos Szeredi <mszeredi@suse.cz>2011-08-24 12:20:17 +0400
commitc2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae (patch)
treefd9e12ce069012b60e5bdcd15627ccf4912d9ef1 /fs/fuse
parent478e0841b3dce3edc2c67bf0fc51af30f582e9e2 (diff)
downloadlinux-c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae.tar.xz
fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the message processing could overrun and result in a "kernel BUG at fs/fuse/dev.c:629!" Reported-by: Han-Wen Nienhuys <hanwenn@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> CC: stable@kernel.org
Diffstat (limited to 'fs/fuse')
-rw-r--r--fs/fuse/dev.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 640fc229df10..168a80f7f12b 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
if (outarg.namelen > FUSE_NAME_MAX)
goto err;
+ err = -EINVAL;
+ if (size != sizeof(outarg) + outarg.namelen + 1)
+ goto err;
+
name.name = buf;
name.len = outarg.namelen;
err = fuse_copy_one(cs, buf, outarg.namelen + 1);