Re: [PATCH][REPOST] Check maxlen on strnlen_user usage
From: Andrew Morton
Date: Wed Sep 07 2011 - 20:07:14 EST
On Thu, 08 Sep 2011 09:54:18 +1000
Ryan Mallon <rmallon@xxxxxxxxx> wrote:
> strnlen_user returns the length of the string including the nul
> terminator. In the case where maxlen is reached strnlen_user returns
> maxlen + 1. Most callsites already check for this condition. Fix the
> call to strnlen_user in fs/exec.c to check for the maxlen case.
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 25dcbe5..e19588c 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -481,7 +481,7 @@ static int copy_strings(int argc, struct
> user_arg_ptr argv,
> goto out;
>
> len = strnlen_user(str, MAX_ARG_STRLEN);
> - if (!len)
> + if (!len || len> MAX_ARG_STRLEN)
> goto out;
>
> ret = -E2BIG;
The following call to vald_arg_len() already does this?
This change will cause copy_strings() to incorrectly return -EFAULT,
rather than -E2BIG.
Your email client is wordwrapping and space-stuffing the patches, btw.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/