releases/2.6.35.8/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch

   1 From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001
   2 From: Joel Becker <joel.becker@oracle.com>
   3 Date: Wed, 29 Sep 2010 17:33:05 -0700
   4 Subject: ocfs2: Don't walk off the end of fast symlinks.
   5
   6 From: Joel Becker <joel.becker@oracle.com>
   7
   8 commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream.
   9
  10 ocfs2 fast symlinks are NUL terminated strings stored inline in the
  11 inode data area.  However, disk corruption or a local attacker could, in
  12 theory, remove that NUL.  Because we're using strlen() (my fault,
  13 introduced in a731d1 when removing vfs_follow_link()), we could walk off
  14 the end of that string.
  15
  16 Signed-off-by: Joel Becker <joel.becker@oracle.com>
  17 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18
  19 ---
  20  fs/ocfs2/symlink.c |    2 +-
  21  1 file changed, 1 insertion(+), 1 deletion(-)
  22
  23 --- a/fs/ocfs2/symlink.c
  24 +++ b/fs/ocfs2/symlink.c
  25 @@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru
  26         }
  27
  28         /* Fast symlinks can't be large */
  29 -       len = strlen(target);
  30 +       len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb));
  31         link = kzalloc(len + 1, GFP_NOFS);
  32         if (!link) {
  33                 status = -ENOMEM;