mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-09 23:00:21 +00:00
orangefs: strncpy -> strscpy
It would have been possible for a rogue client-core to send in a symlink target which is not NUL terminated. This returns EIO if the client-core gives us corrupt data. Leave debugfs and superblock code as is for now. Other dcache.c and namei.c strncpy instances are safe because ORANGEFS_NAME_MAX = NAME_MAX + 1; there is always enough space for a name plus a NUL byte. Signed-off-by: Martin Brandenburg <martin@omnibond.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com>
This commit is contained in:
parent
f83140c146
commit
2eacea74cc
@ -315,9 +315,13 @@ int orangefs_inode_getattr(struct inode *inode, int new, int size)
|
|||||||
inode->i_size = (loff_t)strlen(new_op->
|
inode->i_size = (loff_t)strlen(new_op->
|
||||||
downcall.resp.getattr.link_target);
|
downcall.resp.getattr.link_target);
|
||||||
orangefs_inode->blksize = (1 << inode->i_blkbits);
|
orangefs_inode->blksize = (1 << inode->i_blkbits);
|
||||||
strlcpy(orangefs_inode->link_target,
|
ret = strscpy(orangefs_inode->link_target,
|
||||||
new_op->downcall.resp.getattr.link_target,
|
new_op->downcall.resp.getattr.link_target,
|
||||||
ORANGEFS_NAME_MAX);
|
ORANGEFS_NAME_MAX);
|
||||||
|
if (ret == -E2BIG) {
|
||||||
|
ret = -EIO;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
inode->i_link = orangefs_inode->link_target;
|
inode->i_link = orangefs_inode->link_target;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user