[PATCH] Fix possible memory corruption in xfs_readlink
Eric Sandeen
sandeen at sandeen.net
Tue Oct 18 09:25:18 CDT 2011
On 10/17/11 11:18 PM, Carlos Maiolino wrote:
> Fixes a possible memory corruption when the link is larger than
> MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
> S_ISLNK assert, since the inode mode is checked previously in
> xfs_readlink_by_handle() and via VFS.
>
> Signed-off-by: Carlos Maiolino <cmaiolino at redhat.com>
Thanks!
Discussed-to-death-by: Eric Sandeen <sandeen at redhat.com>
Reviewed-by: Eric Sandeen <sandeen at redhat.com>
> ---
> fs/xfs/xfs_vnodeops.c | 11 ++++++++---
> 1 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
> index 51fc429..c3288be 100644
> --- a/fs/xfs/xfs_vnodeops.c
> +++ b/fs/xfs/xfs_vnodeops.c
> @@ -123,13 +123,18 @@ xfs_readlink(
>
> xfs_ilock(ip, XFS_ILOCK_SHARED);
>
> - ASSERT(S_ISLNK(ip->i_d.di_mode));
> - ASSERT(ip->i_d.di_size <= MAXPATHLEN);
> -
> pathlen = ip->i_d.di_size;
> if (!pathlen)
> goto out;
>
> + if (pathlen > MAXPATHLEN) {
> + xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long",
> + __func__, (unsigned long long)ip->i_ino, pathlen);
> + ASSERT(0);
> + return XFS_ERROR(EFSCORRUPTED);
> + }
> +
> +
> if (ip->i_df.if_flags & XFS_IFINLINE) {
> memcpy(link, ip->i_df.if_u1.if_data, pathlen);
> link[pathlen] = '\0';
More information about the xfs
mailing list