Hello Okajima, correct name could not go beyond 242 chars and because of cnt/%d the buffer could be overrun. I think having snprintf(p, WH_TMP_LEN+1, "%.*x", AUFS_WH_TMP_LEN, cnt++); would be better.
Thx,Thayumanavar S. On Mon, Jul 19, 2010 at 11:46 PM, <[email protected]> wrote: > > Thayumanavar Sachithanantham: >> Fix a slab memory corruption seen when rmdir a directory of length >> greater than 242 characters. This happen because in whout.c when cnt++ >> get large value and directory len become, we write past end of >> allocated memory. > > Thanx for patch. > > I don't think such long name could happen in aufs, because aufs sets > limit AUFS_MAX_NAMELEN (242) to the length of filename. > But "cnt" may grow and exceed 9999 (4 digits). In this case, "%04d" will > print 5 (or more) digits, and overrun the buffer. > Actually it was "%x" instead of "%d" in the early days and I had changed > it carelessly. > > Finally I'd like to revert it such like this. How do you think? > > diff --git a/fs/aufs/whout.c b/fs/aufs/whout.c > index 6d491a0..cca216b 100644 > --- a/fs/aufs/whout.c > +++ b/fs/aufs/whout.c > @@ -150,7 +150,7 @@ struct dentry *au_whtmp_lkup(struct dentry *h_parent, > struct au_branch *br, > > qs.name = name; > for (i = 0; i < 3; i++) { > - sprintf(p, "%.*d", AUFS_WH_TMP_LEN, cnt++); > + sprintf(p, "%.*x", AUFS_WH_TMP_LEN, cnt++); > dentry = au_sio_lkup_one(&qs, h_parent, br); > if (IS_ERR(dentry) || !dentry->d_inode) > goto out_name; > > > J. R. a > ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
