[stable] [18/19] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

Greg KH Sat, 27 Aug 2011 07:56:52 -0700

2.6.32-longterm review patch.  If anyone has any objections, please let us know.


------------------

From: Miklos Szeredi <mszer...@suse.cz>

commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.

FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
message processing could overrun and result in a "kernel BUG at
fs/fuse/dev.c:629!"

Reported-by: Han-Wen Nienhuys <hanw...@gmail.com>
Signed-off-by: Miklos Szeredi <mszer...@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 fs/fuse/dev.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -899,6 +899,10 @@ static int fuse_notify_inval_entry(struc
        if (outarg.namelen > FUSE_NAME_MAX)
                goto err;
 
+       err = -EINVAL;
+       if (size != sizeof(outarg) + outarg.namelen + 1)
+               goto err;
+
        name.name = buf;
        name.len = outarg.namelen;
        err = fuse_copy_one(cs, buf, outarg.namelen + 1);


_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable

[stable] [18/19] fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

Reply via email to