xfs
[Top] [All Lists]

Re: [PATCH] Fix possible memory corruption in xfs_readlink

To: Carlos Maiolino <cmaiolino@xxxxxxxxxx>
Subject: Re: [PATCH] Fix possible memory corruption in xfs_readlink
From: Eric Sandeen <sandeen@xxxxxxxxxxx>
Date: Tue, 18 Oct 2011 09:25:18 -0500
Cc: xfs@xxxxxxxxxxx
In-reply-to: <1318911538-9174-1-git-send-email-cmaiolino@xxxxxxxxxx>
References: <1318911538-9174-1-git-send-email-cmaiolino@xxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
On 10/17/11 11:18 PM, Carlos Maiolino wrote:
> Fixes a possible memory corruption when the link is larger than
> MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
> S_ISLNK assert, since the inode mode is checked previously in
> xfs_readlink_by_handle() and via VFS.
> 
> Signed-off-by: Carlos Maiolino <cmaiolino@xxxxxxxxxx>

Thanks!

Discussed-to-death-by: Eric Sandeen <sandeen@xxxxxxxxxx>
Reviewed-by: Eric Sandeen <sandeen@xxxxxxxxxx>

> ---
>  fs/xfs/xfs_vnodeops.c |   11 ++++++++---
>  1 files changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
> index 51fc429..c3288be 100644
> --- a/fs/xfs/xfs_vnodeops.c
> +++ b/fs/xfs/xfs_vnodeops.c
> @@ -123,13 +123,18 @@ xfs_readlink(
>  
>       xfs_ilock(ip, XFS_ILOCK_SHARED);
>  
> -     ASSERT(S_ISLNK(ip->i_d.di_mode));
> -     ASSERT(ip->i_d.di_size <= MAXPATHLEN);
> -
>       pathlen = ip->i_d.di_size;
>       if (!pathlen)
>               goto out;
>  
> +     if (pathlen > MAXPATHLEN) {
> +             xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long",
> +                      __func__, (unsigned long long)ip->i_ino, pathlen);
> +             ASSERT(0);
> +             return XFS_ERROR(EFSCORRUPTED);
> +     }
> +
> +
>       if (ip->i_df.if_flags & XFS_IFINLINE) {
>               memcpy(link, ip->i_df.if_u1.if_data, pathlen);
>               link[pathlen] = '\0';

<Prev in Thread] Current Thread [Next in Thread>