提交 c2183d1e 编写于 作者: M Miklos Szeredi

fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
message processing could overrun and result in a "kernel BUG at
fs/fuse/dev.c:629!"
Reported-by: NHan-Wen Nienhuys <hanwenn@gmail.com>
Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org
上级 478e0841
...@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size, ...@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
if (outarg.namelen > FUSE_NAME_MAX) if (outarg.namelen > FUSE_NAME_MAX)
goto err; goto err;
err = -EINVAL;
if (size != sizeof(outarg) + outarg.namelen + 1)
goto err;
name.name = buf; name.name = buf;
name.len = outarg.namelen; name.len = outarg.namelen;
err = fuse_copy_one(cs, buf, outarg.namelen + 1); err = fuse_copy_one(cs, buf, outarg.namelen + 1);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册