When we create a static buffer for an inode name, and treat it like a null-terminated string, it needs to be of length CLD_INODE_NAME_MAX + 1 so that it can hold the NULL-terminator.
In cldc_del and cldc_open, we should check that the user-submitted inode name is less than or equal to CLD_INODE_NAME_MAX. Formerly we were just checking that it wasn't too big to fit in the packet. When copying the inode name out of struct cld_dirent_cur, use snprintf rather than strcpy to ensure that we never overflow the buffer. This isn't strictly necessary if all other checks are working perfectly, but it seems prudent. Signed-off-by: Colin McCabe <[email protected]> --- include/cldc.h | 2 +- lib/cldc.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/cldc.h b/include/cldc.h index f1db7d2..0d72669 100644 --- a/include/cldc.h +++ b/include/cldc.h @@ -41,7 +41,7 @@ struct cldc_call_opts { struct cld_msg_get_resp resp; const char *buf; unsigned int size; - char inode_name[CLD_INODE_NAME_MAX]; + char inode_name[CLD_INODE_NAME_MAX + 1]; } get; } u; }; diff --git a/lib/cldc.c b/lib/cldc.c index 3dc565c..dcc179c 100644 --- a/lib/cldc.c +++ b/lib/cldc.c @@ -903,7 +903,7 @@ int cldc_del(struct cldc_session *sess, const struct cldc_call_opts *copts, return -EINVAL; plen = strlen(pathname); - if (plen > 65530) + if (plen > CLD_INODE_NAME_MAX) return -EINVAL; /* create DEL message */ @@ -974,7 +974,7 @@ int cldc_open(struct cldc_session *sess, return -EINVAL; plen = strlen(pathname); - if (plen > 65530) + if (plen > CLD_INODE_NAME_MAX) return -EINVAL; /* create OPEN message */ -- 1.6.2.5 -- To unsubscribe from this list: send the line "unsubscribe hail-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
