|
|
ff37d2b |
From fbf6404575f42b383d9607321bd129f0e28fc0d7 Mon Sep 17 00:00:00 2001
|
|
|
29298df |
From: Carlos Maiolino <cmaiolino@redhat.com>
|
|
|
29298df |
Date: Tue, 18 Oct 2011 02:18:58 -0200
|
|
|
29298df |
Subject: [PATCH] Fix possible memory corruption in xfs_readlink
|
|
|
29298df |
|
|
|
29298df |
Fixes a possible memory corruption when the link is larger than
|
|
|
29298df |
MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
|
|
|
29298df |
S_ISLNK assert, since the inode mode is checked previously in
|
|
|
29298df |
xfs_readlink_by_handle() and via VFS.
|
|
|
29298df |
|
|
|
29298df |
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
|
|
|
29298df |
---
|
|
|
29298df |
fs/xfs/xfs_vnodeops.c | 10 +++++++---
|
|
|
29298df |
1 files changed, 7 insertions(+), 3 deletions(-)
|
|
|
29298df |
|
|
|
29298df |
diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
|
|
|
ff37d2b |
index c164683..529d983 100644
|
|
|
29298df |
--- a/fs/xfs/xfs_vnodeops.c
|
|
|
29298df |
+++ b/fs/xfs/xfs_vnodeops.c
|
|
|
ff37d2b |
@@ -564,13 +564,17 @@ xfs_readlink(
|
|
|
29298df |
|
|
|
29298df |
xfs_ilock(ip, XFS_ILOCK_SHARED);
|
|
|
29298df |
|
|
|
29298df |
- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
|
|
|
29298df |
- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
|
|
|
29298df |
-
|
|
|
29298df |
pathlen = ip->i_d.di_size;
|
|
|
29298df |
if (!pathlen)
|
|
|
29298df |
goto out;
|
|
|
29298df |
|
|
|
29298df |
+ if (pathlen > MAXPATHLEN) {
|
|
|
ff37d2b |
+ xfs_fs_cmn_err(CE_ALERT, mp, "%s: inode (%llu) symlink length (%d) too long",
|
|
|
29298df |
+ __func__, (unsigned long long)ip->i_ino, pathlen);
|
|
|
29298df |
+ ASSERT(0);
|
|
|
29298df |
+ return XFS_ERROR(EFSCORRUPTED);
|
|
|
29298df |
+ }
|
|
|
29298df |
+
|
|
|
29298df |
if (ip->i_df.if_flags & XFS_IFINLINE) {
|
|
|
29298df |
memcpy(link, ip->i_df.if_u1.if_data, pathlen);
|
|
|
29298df |
link[pathlen] = '\0';
|
|
|
29298df |
--
|
|
|
29298df |
1.7.6.4
|
|
|
29298df |
|