forked from Minki/linux
xfs: Fix possible memory corruption in xfs_readlink
Fixes a possible memory corruption when the link is larger than MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the S_ISLNK assert, since the inode mode is checked previously in xfs_readlink_by_handle() and via VFS. Updated to address concerns raised by Ben Hutchings about the loose attention paid to 32- vs 64-bit values, and the lack of handling a potentially negative pathlen value: - Changed type of "pathlen" to be xfs_fsize_t, to match that of ip->i_d.di_size - Added checking for a negative pathlen to the too-long pathlen test, and generalized the message that gets reported in that case to reflect the change As a result, if a negative pathlen were encountered, this function would return EFSCORRUPTED (and would fail an assertion for a debug build)--just as would a too-long pathlen. Signed-off-by: Alex Elder <aelder@sgi.com> Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de>
This commit is contained in:
parent
1ea6b8f489
commit
b52a360b2a
@ -112,7 +112,7 @@ xfs_readlink(
|
||||
char *link)
|
||||
{
|
||||
xfs_mount_t *mp = ip->i_mount;
|
||||
int pathlen;
|
||||
xfs_fsize_t pathlen;
|
||||
int error = 0;
|
||||
|
||||
trace_xfs_readlink(ip);
|
||||
@ -122,13 +122,19 @@ xfs_readlink(
|
||||
|
||||
xfs_ilock(ip, XFS_ILOCK_SHARED);
|
||||
|
||||
ASSERT(S_ISLNK(ip->i_d.di_mode));
|
||||
ASSERT(ip->i_d.di_size <= MAXPATHLEN);
|
||||
|
||||
pathlen = ip->i_d.di_size;
|
||||
if (!pathlen)
|
||||
goto out;
|
||||
|
||||
if (pathlen < 0 || pathlen > MAXPATHLEN) {
|
||||
xfs_alert(mp, "%s: inode (%llu) bad symlink length (%lld)",
|
||||
__func__, (unsigned long long) ip->i_ino,
|
||||
(long long) pathlen);
|
||||
ASSERT(0);
|
||||
return XFS_ERROR(EFSCORRUPTED);
|
||||
}
|
||||
|
||||
|
||||
if (ip->i_df.if_flags & XFS_IFINLINE) {
|
||||
memcpy(link, ip->i_df.if_u1.if_data, pathlen);
|
||||
link[pathlen] = '\0';
|
||||
|
Loading…
Reference in New Issue
Block a user