Thanks for the clarification! This sounds good to me. I will send a revised patch. Best, - Tong
> On Nov 21, 2020, at 4:57 PM, Anders Larsen <[email protected]> wrote: > > On Saturday, 2020-11-21 22:47 Tong Zhang wrote: >> >>> On Nov 21, 2020, at 4:40 PM, Anders Larsen <[email protected]> wrote: >>> >>> On Friday, 2020-11-20 22:21 Tong Zhang wrote: >>>> the di_fname may not terminated by '\0', use strnlen to prevent buffer >>>> overrun >>>> >>>> --- >>>> fs/qnx4/namei.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c >>>> index 8d72221735d7..c0e79094f578 100644 >>>> --- a/fs/qnx4/namei.c >>>> +++ b/fs/qnx4/namei.c >>>> @@ -40,7 +40,7 @@ static int qnx4_match(int len, const char *name, >>>> } else { >>>> namelen = QNX4_SHORT_NAME_MAX; >>>> } >>>> - thislen = strlen( de->di_fname ); >>>> + thislen = strnlen( de->di_fname, QNX4_SHORT_NAME_MAX ); >>> >>> that should be >>> + thislen = strnlen( de->di_fname, namelen ); >>> otherwise the length of a filename would always be limited to >>> QNX4_SHORT_NAME_MAX (16) characters. >>> >> Why should we put something bigger here if the size of >> qnx4_inode_entry->di_fname is QNX4_SHORT_NAME_MAX. >> Won’t that be a problem? > > If QNX4_FILE_LINK is set in de->di_status (see line 38), 'de' actually points > to a struct qnx4_link_info which can hold a longer name. > That's the reason for the namelen massage. > (Please don't ask why it is not a union) > > Cheers > Anders > >
