[PATCH] d_path() truncation

Jirka Kosina (jikos@jikos.cz)
Mon, 1 Apr 2002 04:49:10 +0200 (CEST)


Hi,

As I've noticed, there isn't fixed the d_path() long name truncation
vulnerability
(http://cert.uni-stuttgart.de/archive/bugtraq/2002/03/msg00384.html) in
2.4.x up to 2.4.19-pre5 (correct me if I'm wrong).

IMHO this trivial patch fixes it (patch against 2.4.18, no idea about
2.2.x kernels, should be similar?) - instead of truncating the path with
no error, caller gets ENAMETOOLONG.

I'm sorry if I've missed something.

Kind regards,

Jirka Kosina.

--- linux/fs/dcache.c.orig Mon Feb 25 20:38:08 2002
+++ linux/fs/dcache.c Mon Apr 1 04:16:45 2002
@@ -977,14 +977,17 @@
parent = dentry->d_parent;
namelen = dentry->d_name.len;
buflen -= namelen + 1;
- if (buflen < 0)
- break;
+ if (buflen < 0){
+ retval = ERR_PTR(-ENAMETOOLONG);
+ goto out;
+ }
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
retval = end;
dentry = parent;
}
+out:
return retval;
global_root:
namelen = dentry->d_name.len;
@@ -993,6 +996,8 @@
retval -= namelen-1; /* hit the slash */
memcpy(retval, dentry->d_name.name, namelen);
}
+ else
+ retval = ERR_PTR(-ENAMETOOLONG);
return retval;
}

@@ -1042,8 +1047,11 @@
spin_unlock(&dcache_lock);

error = -ERANGE;
+
+ if (cwd == ERR_PTR(-ENAMETOOLONG)) error = -ENAMETOOLONG;
+
len = PAGE_SIZE + page - cwd;
- if (len <= size) {
+ if (len <= size && error != -ENAMETOOLONG) {
error = len;
if (copy_to_user(buf, cwd, len))
error = -EFAULT;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/