Re: [PATCH] qnx4: fix to avoid panic due to buffer overflow
From: Anders Larsen
Date: Sun Nov 12 2023 - 11:25:10 EST
On 2023-11-12 10:53 Ronald Monthero wrote:
> qnx4 dir name length can vary to be of maximum size
> QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether
> 'link info' entry is stored and the status byte is set.
> So to avoid buffer overflow check di_fname length
> fetched from (struct qnx4_inode_entry *)
> before use in strlen to avoid buffer overflow.
[snip]
>
> Signed-off-by: Ronald Monthero <debug.penguin32@xxxxxxxxx>
> ---
> fs/qnx4/namei.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
> index 8d72221735d7..825b891a52b3 100644
> --- a/fs/qnx4/namei.c
> +++ b/fs/qnx4/namei.c
> @@ -40,6 +40,13 @@ static int qnx4_match(int len, const char *name,
> } else {
> namelen = QNX4_SHORT_NAME_MAX;
> }
> +
> + /** qnx4 dir name length can vary, check the di_fname
> + * fetched from (struct qnx4_inode_entry *) before use in
> + * strlen to avoid panic due to buffer overflow"
> + */
> + if (strnlen(de->di_fname, namelen) >= sizeof(de->di_fname))
> + return -ENAMETOOLONG;
sizeof(de->di_fname) equals QNX4_SHORT_NAME_MAX, so this test fails as soon as
a filename is longer than that!
This quick fix (untested!) should do the trick (and avoids computing the length
of the name twice):
diff --git a/fs/qnx4/namei.c b/fs/qnx4/namei.c
index 8d72221735d7..7694f86fbb2e 100644
--- a/fs/qnx4/namei.c
+++ b/fs/qnx4/namei.c
@@ -40,9 +40,7 @@ static int qnx4_match(int len, const char *name,
} else {
namelen = QNX4_SHORT_NAME_MAX;
}
- thislen = strlen( de->di_fname );
- if ( thislen > namelen )
- thislen = namelen;
+ thislen = strnlen(de->di_fname, namelen);
if (len != thislen) {
return 0;
}
Cheers
Anders