On Wed, Sep 04, 2013 at 09:55:43PM -0400, Waiman Long wrote: > On 09/04/2013 03:43 PM, Al Viro wrote: > >On Wed, Sep 04, 2013 at 03:33:00PM -0400, Waiman Long wrote: > > > >>I have thought about that. But if a d_move() is going on, the string > >>in the buffer will be discarded as the sequence number will change. > >>So whether or not it have embedded null byte shouldn't matter. That > >>is why I didn't add code to do byte-by-byte copy at this first > >>patch. I can add code to do that if you think it is safer to do so. > >Sigh... Junk in the output is not an issue; reading from invalid address > >is, since you might not survive to the sequence number check. Again, > >if p is an address returned by kmalloc(size, ...), dereferencing p + offset > >is not safe unless offset is less than size. > > Yeah, I understand that. As said in my reply to Linus, I will use > memchr() to see if there is null byte within the specified length. > If one is found, I will assume the string is not valid and return > error to the caller. Umm... Strictly speaking, memchr() behaviour is undefined if the third argument exceeds the size of object pointed to by the first one. IOW, it has every right to assume that all characters in the range to be searched in are safely readable. You can't assume that it will read them one by one until it hits the one you are searching for. In practice it's probably almost[1] true for all our implementations of memchr(), but... [1] reads past the character being searched for are very likely, but they'll be within the same page, which is safe. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html