| From 431f5b6339904bbdee2be52cc8a2c8c6f84decdf Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Mon, 22 May 2017 15:08:31 +0300 |
| Subject: orangefs: off by ones in xattr size checks |
| |
| [ Upstream commit 5f13e58767a53ebb54265e03c0c4a67650286263 ] |
| |
| A previous patch which claimed to remove off by ones actually introduced |
| them. |
| |
| strlen() returns the length of the string not including the NUL |
| character. We are using strcpy() to copy "name" into a buffer which is |
| ORANGEFS_MAX_XATTR_NAMELEN characters long. We should make sure to |
| leave space for the NUL, otherwise we're writing one character beyond |
| the end of the buffer. |
| |
| Fixes: e675c5ec51fe ("orangefs: clean up oversize xattr validation") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Mike Marshall <hubcap@omnibond.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/orangefs/xattr.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c |
| index 237c9c04dc3b..a34b25be39c5 100644 |
| --- a/fs/orangefs/xattr.c |
| +++ b/fs/orangefs/xattr.c |
| @@ -76,7 +76,7 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name, |
| if (S_ISLNK(inode->i_mode)) |
| return -EOPNOTSUPP; |
| |
| - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) |
| + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) |
| return -EINVAL; |
| |
| fsuid = from_kuid(&init_user_ns, current_fsuid()); |
| @@ -169,7 +169,7 @@ static int orangefs_inode_removexattr(struct inode *inode, const char *name, |
| struct orangefs_kernel_op_s *new_op = NULL; |
| int ret = -ENOMEM; |
| |
| - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) |
| + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) |
| return -EINVAL; |
| |
| down_write(&orangefs_inode->xattr_sem); |
| @@ -233,7 +233,7 @@ int orangefs_inode_setxattr(struct inode *inode, const char *name, |
| |
| if (size > ORANGEFS_MAX_XATTR_VALUELEN) |
| return -EINVAL; |
| - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) |
| + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) |
| return -EINVAL; |
| |
| internal_flag = convert_to_internal_xattr_flags(flags); |
| -- |
| 2.17.1 |
| |