On Thu, Dec 11, 2008 at 07:16:26PM +0000, Duane Griffin wrote: > The result from readlink is being used to index into the link name > buffer without checking whether it is a valid length. If readlink > returns an error this will fault or cause memory corruption. > > Signed-off-by: Duane Griffin <[email protected]>
Acked-by: Michael Halcrow <[email protected]> > --- > fs/ecryptfs/inode.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c > index 89209f0..5e78fc1 100644 > --- a/fs/ecryptfs/inode.c > +++ b/fs/ecryptfs/inode.c > @@ -673,10 +673,11 @@ static void *ecryptfs_follow_link(struct dentry > *dentry, struct nameidata *nd) > ecryptfs_printk(KERN_DEBUG, "Calling readlink w/ " > "dentry->d_name.name = [%s]\n", dentry->d_name.name); > rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); > - buf[rc] = '\0'; > set_fs(old_fs); > if (rc < 0) > goto out_free; > + else > + buf[rc] = '\0'; > rc = 0; > nd_set_link(nd, buf); > goto out; ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ eCryptfs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
