When we create a static buffer for an inode name, and treat it like a
null-terminated string, it needs to be of length CLD_INODE_NAME_MAX + 1 so
that it can hold the NULL-terminator.
In cldc_del and cldc_open, we should check that the user-submitted inode name
is less than or equal to CLD_INODE_NAME_MAX. Formerly we were just checking
that it wasn't too big to fit in the packet.
When copying the inode name out of struct cld_dirent_cur, use snprintf rather
than strcpy to ensure that we never overflow the buffer. This isn't strictly
necessary if all other checks are working perfectly, but it seems prudent.
Signed-off-by: Colin McCabe <cmccabe@xxxxxxxxxxxxxx>
---
include/cldc.h | 2 +-
lib/cldc.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/cldc.h b/include/cldc.h
index f1db7d2..0d72669 100644
--- a/include/cldc.h
+++ b/include/cldc.h
@@ -41,7 +41,7 @@ struct cldc_call_opts {
struct cld_msg_get_resp resp;
const char *buf;
unsigned int size;
- char inode_name[CLD_INODE_NAME_MAX];
+ char inode_name[CLD_INODE_NAME_MAX + 1];
} get;
} u;
};
diff --git a/lib/cldc.c b/lib/cldc.c
index 3dc565c..dcc179c 100644
--- a/lib/cldc.c
+++ b/lib/cldc.c
@@ -903,7 +903,7 @@ int cldc_del(struct cldc_session *sess, const struct cldc_call_opts *copts,
return -EINVAL;
plen = strlen(pathname);
- if (plen > 65530)
+ if (plen > CLD_INODE_NAME_MAX)
return -EINVAL;
/* create DEL message */
@@ -974,7 +974,7 @@ int cldc_open(struct cldc_session *sess,
return -EINVAL;
plen = strlen(pathname);
- if (plen > 65530)
+ if (plen > CLD_INODE_NAME_MAX)
return -EINVAL;
/* create OPEN message */
--
1.6.2.5
--
To unsubscribe from this list: send the line "unsubscribe hail-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
