From: [email protected] Fix a slab memory corruption seen when rmdir a directory of length greater than 242 characters. This happen because in whout.c when cnt++ get large value and directory len become, we write past end of allocated memory.
Signed-off-by: Thayumanavar Sachithanantham <[email protected]> --- --- aufs2-2.6/fs/aufs/whout.c.orig 2010-07-19 10:49:37.000000000 -0400 +++ aufs2-2.6/fs/aufs/whout.c 2010-07-19 10:52:42.000000000 -0400 @@ -150,7 +150,7 @@ struct dentry *au_whtmp_lkup(struct dent qs.name = name; for (i = 0; i < 3; i++) { - sprintf(p, "%.*d", AUFS_WH_TMP_LEN, cnt++); + snprintf(p, NAME_MAX - ( p - name ) + AUFS_WH_TMP_LEN + 1,"%.*d", AUFS_WH_TMP_LEN, cnt++); dentry = au_sio_lkup_one(&qs, h_parent, br); if (IS_ERR(dentry) || !dentry->d_inode) goto out_name; ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
