From: Eric Biggers <[email protected]>
Userspace provides a null-terminated string, so don't assume that the
full FSLABEL_MAX bytes can always be copied.
Fixes: 61a3da4d5ef8 ("f2fs: support FS_IOC_{GET,SET}FSLABEL")
Signed-off-by: Eric Biggers <[email protected]>
---
fs/f2fs/file.c | 22 +++++-----------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index d521a582d94d..315127251bc1 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -3111,23 +3111,11 @@ static int f2fs_set_volume_name(struct file *filp,
unsigned long arg)
struct inode *inode = file_inode(filp);
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
char *vbuf;
- int len;
int err = 0;
- vbuf = f2fs_kzalloc(sbi, MAX_VOLUME_NAME, GFP_KERNEL);
- if (!vbuf)
- return -ENOMEM;
-
- if (copy_from_user(vbuf, (char __user *)arg, FSLABEL_MAX)) {
- err = -EFAULT;
- goto out;
- }
-
- len = strnlen(vbuf, FSLABEL_MAX);
- if (len > FSLABEL_MAX - 1) {
- err = -EINVAL;
- goto out;
- }
+ vbuf = strndup_user((const char __user *)arg, FSLABEL_MAX);
+ if (IS_ERR(vbuf))
+ return PTR_ERR(vbuf);
err = mnt_want_write_file(filp);
if (err)
@@ -3137,7 +3125,7 @@ static int f2fs_set_volume_name(struct file *filp,
unsigned long arg)
memset(sbi->raw_super->volume_name, 0,
sizeof(sbi->raw_super->volume_name));
- utf8s_to_utf16s(vbuf, MAX_VOLUME_NAME, UTF16_LITTLE_ENDIAN,
+ utf8s_to_utf16s(vbuf, strlen(vbuf), UTF16_LITTLE_ENDIAN,
sbi->raw_super->volume_name,
ARRAY_SIZE(sbi->raw_super->volume_name));
@@ -3147,7 +3135,7 @@ static int f2fs_set_volume_name(struct file *filp,
unsigned long arg)
mnt_drop_write_file(filp);
out:
- kvfree(vbuf);
+ kfree(vbuf);
return err;
}
--
2.22.0
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
