[PATCH] 2.2.20: Avoid buffer overrun in quota warning

Paul Menage (pmenage@ensim.com)
Thu, 13 Sep 2001 18:50:01 -0700


The quota code in several places does an sprintf() to a fixed (75 char)
buffer, where one of the format arguments is a directory name. If your
mountpoints have long enough names, this can easily overflow and
corrupt data following the buffer.

This has been fixed in 2.4, but not in 2.2.20pre. There are three ways
to fix it:

a) backport the delayed warning code from 2.4, which doesn't use sprintf

b) increase the buffer size

c) limit the %s directives in the sprintf() format string.

Given that 2.2.20 is about to be frozen, this patch takes option b,
increasing the buffer size to be equal to the maximum directory name
length passed to mount() (PAGE_SIZE) plus some slop for the rest of the
string to be printed. Maybe for 2.2.21 it might be worth backporting
the delayed warning code.

Paul

--- linux.orig/include/linux/quota.h Tue Jun 12 00:56:52 2001
+++ linux/include/linux/quota.h Thu Sep 13 18:21:23 2001
@@ -155,7 +155,7 @@
* Maximum length of a message generated in the quota system,
* that needs to be kicked onto the tty.
*/
-#define MAX_QUOTA_MESSAGE 75
+#define MAX_QUOTA_MESSAGE (PAGE_SIZE + 256)

#define DQ_LOCKED 0x01 /* locked for update */
#define DQ_WANT 0x02 /* wanted for update */

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/