From: Ilya Dryomov <idryomov@xxxxxxxxx>
commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream.
It becomes a path component, so it shouldn't exceed NAME_MAX
characters. This was hardened in commit c152737be22b ("ceph: Use
strscpy() instead of strcpy() in __get_snap_name()"), but no actual
check was put in place.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Reviewed-by: Alex Markuze <amarkuze@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ceph/super.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -431,6 +431,8 @@ static int ceph_parse_mount_param(struct
switch (token) {
case Opt_snapdirname:
+ if (strlen(param->string) > NAME_MAX)
+ return invalfc(fc, "snapdirname too long");
kfree(fsopt->snapdir_name);
fsopt->snapdir_name = param->string;
param->string = NULL;
Patches currently in stable-queue which might be from idryomov@xxxxxxxxx are
queue-6.12/ceph-give-up-on-paths-longer-than-path_max.patch
queue-6.12/ceph-validate-snapdirname-option-length-when-mounting.patch
queue-6.12/ceph-fix-memory-leaks-in-__ceph_sync_read.patch
queue-6.12/ceph-improve-error-handling-and-short-overflow-read-logic-in-__ceph_sync_read.patch
queue-6.12/ceph-fix-memory-leak-in-ceph_direct_read_write.patch
