On Wed, Sep 15, 2021 at 11:22:04AM -0400, Vivek Goyal wrote: > split_fs_names() currently takes comma separated list of filesystems > and converts it into individual filesystem strings. Pleaces these > strings in the input buffer passed by caller and returns number of > strings. > > If caller manages to pass input string bigger than buffer, then we > can write beyond the buffer. Or if string just fits buffer, we will > still write beyond the buffer as we append a '\0' byte at the end. > > Will be nice to pass size of input buffer to split_fs_names() and > put enough checks in place so such buffer overrun possibilities > do not occur. > > Hence this patch adds "size" parameter to split_fs_names() and makes > sure we do not access memory beyond size. If input string "names" > is larger than passed in buffer, input string will be truncated to > fit in buffer. > > Reported-by: xu xin <xu.xin16@xxxxxxxxxx> > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > --- Strange but probably reasonable, Acked-by: Christian Brauner <christian.brauner@xxxxxxxxxx>
