From fbf6404575f42b383d9607321bd129f0e28fc0d7 Mon Sep 17 00:00:00 2001

From: Carlos Maiolino <cmaiolino@redhat.com>

Date: Tue, 18 Oct 2011 02:18:58 -0200

Subject: [PATCH] Fix possible memory corruption in xfs_readlink

Fixes a possible memory corruption when the link is larger than

MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the

S_ISLNK assert, since the inode mode is checked previously in

xfs_readlink_by_handle() and via VFS.

Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>

---

 fs/xfs/xfs_vnodeops.c |   10 +++++++---

 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c

index c164683..529d983 100644

--- a/fs/xfs/xfs_vnodeops.c

+++ b/fs/xfs/xfs_vnodeops.c

@@ -564,13 +564,17 @@ xfs_readlink(

 	xfs_ilock(ip, XFS_ILOCK_SHARED);

-	ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);

-	ASSERT(ip->i_d.di_size <= MAXPATHLEN);

-

 	pathlen = ip->i_d.di_size;

 	if (!pathlen)

 		goto out;

+	if (pathlen > MAXPATHLEN) {

+		xfs_fs_cmn_err(CE_ALERT, mp, "%s: inode (%llu) symlink length (%d) too long",

+			 __func__, (unsigned long long)ip->i_ino, pathlen);

+		ASSERT(0);

+		return XFS_ERROR(EFSCORRUPTED);

+	}

+

 	if (ip->i_df.if_flags & XFS_IFINLINE) {

 		memcpy(link, ip->i_df.if_u1.if_data, pathlen);

 		link[pathlen] = '\0';

-- 

1.7.6.4