Skip to content

Commit

Permalink
ocfs2: Don't walk off the end of fast symlinks.
Browse files Browse the repository at this point in the history 
ocfs2 fast symlinks are NUL terminated strings stored inline in the
inode data area.  However, disk corruption or a local attacker could, in
theory, remove that NUL.  Because we're using strlen() (my fault,
introduced in a731d1 when removing vfs_follow_link()), we could walk off
the end of that string.

Signed-off-by: Joel Becker <joel.becker@oracle.com>
Cc: stable@kernel.org
  • Loading branch information
Joel Becker committed Sep 30, 2010
1 parent 899611e commit 1fc8a11
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion fs/ocfs2/symlink.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(struct dentry *dentry,
}

/* Fast symlinks can't be large */
len = strlen(target);
len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
link = kzalloc(len + 1, GFP_NOFS);
if (!link) {
status = -ENOMEM;
Expand Down

0 comments on commit 1fc8a11

Please sign in to comment.