On Thu, Dec 11, 2008 at 07:16:26PM +0000, Duane Griffin wrote: > The result from readlink is being used to index into the link name > buffer without checking whether it is a valid length. If readlink > returns an error this will fault or cause memory corruption. > > Signed-off-by: Duane Griffin <duaneg@xxxxxxxxx> Acked-by: Michael Halcrow <mhalcrow@xxxxxxxxxx> > --- > fs/ecryptfs/inode.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c > index 89209f0..5e78fc1 100644 > --- a/fs/ecryptfs/inode.c > +++ b/fs/ecryptfs/inode.c > @@ -673,10 +673,11 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd) > ecryptfs_printk(KERN_DEBUG, "Calling readlink w/ " > "dentry->d_name.name = [%s]\n", dentry->d_name.name); > rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); > - buf[rc] = '\0'; > set_fs(old_fs); > if (rc < 0) > goto out_free; > + else > + buf[rc] = '\0'; > rc = 0; > nd_set_link(nd, buf); > goto out; -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
