Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-09 14:50:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

orangefs: strncpy -> strscpy

Browse Source 
It would have been possible for a rogue client-core to send in a symlink
target which is not NUL terminated. This returns EIO if the client-core
gives us corrupt data.

Leave debugfs and superblock code as is for now.

Other dcache.c and namei.c strncpy instances are safe because
ORANGEFS_NAME_MAX = NAME_MAX + 1; there is always enough space for a
name plus a NUL byte.

Signed-off-by: Martin Brandenburg <martin@omnibond.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
This commit is contained in:
Martin Brandenburg 2016-04-08 13:33:21 -04:00 committed by Mike Marshall
parent f83140c146
commit 2eacea74cc
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fs/orangefs/orangefs-utils.c
View File

@ -315,9 +315,13 @@ int orangefs_inode_getattr(struct inode *inode, int new, int size)
inode->i_size = (loff_t)strlen(new_op-> inode->i_size = (loff_t)strlen(new_op->
downcall.resp.getattr.link_target); downcall.resp.getattr.link_target);
orangefs_inode->blksize = (1 << inode->i_blkbits); orangefs_inode->blksize = (1 << inode->i_blkbits);
strlcpy(orangefs_inode->link_target, ret = strscpy(orangefs_inode->link_target,
new_op->downcall.resp.getattr.link_target, new_op->downcall.resp.getattr.link_target,
ORANGEFS_NAME_MAX); ORANGEFS_NAME_MAX);
if (ret == -E2BIG) {
ret = -EIO;
goto out;
}
inode->i_link = orangefs_inode->link_target; inode->i_link = orangefs_inode->link_target;
} }
break; break;