The 'char name[BTRFS_PATH_NAME_MAX]' member of struct btrfs_ioctl_vol_args
is passed directly to strlen() after being copied from user. I haven't
verified this, but in theory a userspace program could pass in an
unterminated string and cause a kernel crash as strlen walks off the end of
the array.
This patch terminates the ->name string in all btrfs ioctl functions which
currently use a 'struct btrfs_ioctl_vol_args'. Since the string is now
properly terminated, it's length will never be longer than
BTRFS_PATH_NAME_MAX so that error check has been removed.
By the way, it might be better overall to just have the ioctl pass an
unterminated string + length structure but I didn't bother with that since
it'd change the kernel/user interface.
Signed-off-by: Mark Fasheh <[email protected]>
Signed-off-by: Chris Mason <[email protected]>
ret = -EFAULT;
goto out;
}
+
+ vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
namelen = strlen(vol_args->name);
- if (namelen > BTRFS_VOL_NAME_MAX) {
- ret = -EINVAL;
- goto out;
- }
mutex_lock(&root->fs_info->volume_mutex);
sizestr = vol_args->name;
goto out;
}
+ vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
namelen = strlen(vol_args->name);
- if (namelen > BTRFS_VOL_NAME_MAX) {
- ret = -EINVAL;
- goto out;
- }
if (strchr(vol_args->name, '/')) {
ret = -EINVAL;
goto out;
ret = -EFAULT;
goto out;
}
+ vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
ret = btrfs_init_new_device(root, vol_args->name);
out:
ret = -EFAULT;
goto out;
}
+ vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
ret = btrfs_rm_device(root, vol_args->name);
out:
projects / openwrt / staging / blogic.git / commitdiff