Message ID | 20100710095154.GU19184@bicker |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Sat, 10 Jul 2010 11:51:54 +0200 Dan Carpenter <error27@gmail.com> wrote: > This is an off by one bug because strlen() doesn't count the NULL > terminator. We strcpy() addr into a fixed length array of size > UNIX_PATH_MAX later on. > > The addr variable is the name of the device being mounted. > > CC: stable@kernel.org > Signed-off-by: Dan Carpenter <error27@gmail.com> > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > index 98ce9bc..c85109d 100644 > --- a/net/9p/trans_fd.c > +++ b/net/9p/trans_fd.c > @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) > > csocket = NULL; > > - if (strlen(addr) > UNIX_PATH_MAX) { > + if (strlen(addr) >= UNIX_PATH_MAX) { > P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n", > addr); > return -ENAMETOOLONG; This bug doesn't strike me as serious enough to warrant backporting the fix into -stable. What was your thinking there? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jul 12, 2010 at 01:04:58PM -0700, Andrew Morton wrote: > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > > index 98ce9bc..c85109d 100644 > > --- a/net/9p/trans_fd.c > > +++ b/net/9p/trans_fd.c > > @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) > > > > csocket = NULL; > > > > - if (strlen(addr) > UNIX_PATH_MAX) { > > + if (strlen(addr) >= UNIX_PATH_MAX) { > > P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n", > > addr); > > return -ENAMETOOLONG; > > This bug doesn't strike me as serious enough to warrant backporting the fix > into -stable. What was your thinking there? I don't feel strongly about it. It's safe enough and it applies cleanly. On the other hand, root should always control the name of the device to mount so it's not a big deal. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Andrew Morton <akpm@linux-foundation.org> Date: Mon, 12 Jul 2010 13:04:58 -0700 > This bug doesn't strike me as serious enough to warrant backporting the fix > into -stable. What was your thinking there? Meanwhile I'll queue this up to net-next-2.6, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 98ce9bc..c85109d 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) csocket = NULL; - if (strlen(addr) > UNIX_PATH_MAX) { + if (strlen(addr) >= UNIX_PATH_MAX) { P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n", addr); return -ENAMETOOLONG;
This is an off by one bug because strlen() doesn't count the NULL terminator. We strcpy() addr into a fixed length array of size UNIX_PATH_MAX later on. The addr variable is the name of the device being mounted. CC: stable@kernel.org Signed-off-by: Dan Carpenter <error27@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html