Duane Griffin wrote: > The result from readlink is being used to index into the link name > buffer without checking whether it is a valid length. If readlink > returns an error this will fault or cause memory corruption. > > Cc: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxx> Acked-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxx> > Cc: Dustin Kirkland <kirkland@xxxxxxxxxxxxx> > Cc: ecryptfs-devel@xxxxxxxxxxxxxxxxxxx > Signed-off-by: Duane Griffin <duaneg@xxxxxxxxx> > Acked-by: Michael Halcrow <mhalcrow@xxxxxxxxxx> > --- > > Unchanged from original version. > > fs/ecryptfs/inode.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c > index 89209f0..5e78fc1 100644 > --- a/fs/ecryptfs/inode.c > +++ b/fs/ecryptfs/inode.c > @@ -673,10 +673,11 @@ static void *ecryptfs_follow_link(struct dentry *dentry, struct nameidata *nd) > ecryptfs_printk(KERN_DEBUG, "Calling readlink w/ " > "dentry->d_name.name = [%s]\n", dentry->d_name.name); > rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); > - buf[rc] = '\0'; > set_fs(old_fs); > if (rc < 0) > goto out_free; > + else > + buf[rc] = '\0'; > rc = 0; > nd_set_link(nd, buf); > goto out;
Attachment:
signature.asc
Description: OpenPGP digital signature
