diff options
| author | Mark Fasheh <[email protected]> | 2008-07-24 16:20:14 +0000 |
|---|---|---|
| committer | Chris Mason <[email protected]> | 2008-09-25 15:04:05 +0000 |
| commit | 5516e5957f4b99b19fffffa53bf9fbe7cc793249 (patch) | |
| tree | d5d0b0d3850fc37093300920a672b3b051c86a82 /fs/btrfs/async-thread.c | |
| parent | Fix path slots selection in btrfs_search_forward (diff) | |
| download | kernel-5516e5957f4b99b19fffffa53bf9fbe7cc793249.tar.gz kernel-5516e5957f4b99b19fffffa53bf9fbe7cc793249.zip | |
Btrfs: Null terminate strings passed in from userspace
The 'char name[BTRFS_PATH_NAME_MAX]' member of struct btrfs_ioctl_vol_args
is passed directly to strlen() after being copied from user. I haven't
verified this, but in theory a userspace program could pass in an
unterminated string and cause a kernel crash as strlen walks off the end of
the array.
This patch terminates the ->name string in all btrfs ioctl functions which
currently use a 'struct btrfs_ioctl_vol_args'. Since the string is now
properly terminated, it's length will never be longer than
BTRFS_PATH_NAME_MAX so that error check has been removed.
By the way, it might be better overall to just have the ioctl pass an
unterminated string + length structure but I didn't bother with that since
it'd change the kernel/user interface.
Signed-off-by: Mark Fasheh <[email protected]>
Signed-off-by: Chris Mason <[email protected]>
Diffstat (limited to 'fs/btrfs/async-thread.c')
0 files changed, 0 insertions, 0 deletions