diff options
author | Duane Griffin <duaneg@dghda.com> | 2008-12-19 21:47:12 +0100 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2009-01-01 00:07:39 +0100 |
commit | ebd09abbd9699f328165aee50a070403fbf55a37 (patch) | |
tree | a253ba391180a3eed580a493eb831aaae167c837 | |
parent | vfs: introduce helper function to safely NUL-terminate symlinks (diff) | |
download | linux-ebd09abbd9699f328165aee50a070403fbf55a37.tar.xz linux-ebd09abbd9699f328165aee50a070403fbf55a37.zip |
vfs: ensure page symlinks are NUL-terminated
On-disk data corruption could cause a page link to have its i_size set
to PAGE_SIZE (or a multiple thereof) and its contents all non-NUL.
NUL-terminate the link name to ensure this doesn't cause further
problems for the kernel.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Duane Griffin <duaneg@dghda.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/namei.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/namei.c b/fs/namei.c index ab441af4196b..9ed5e2818f80 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2786,13 +2786,16 @@ int vfs_follow_link(struct nameidata *nd, const char *link) /* get the link contents into pagecache */ static char *page_getlink(struct dentry * dentry, struct page **ppage) { - struct page * page; + char *kaddr; + struct page *page; struct address_space *mapping = dentry->d_inode->i_mapping; page = read_mapping_page(mapping, 0, NULL); if (IS_ERR(page)) return (char*)page; *ppage = page; - return kmap(page); + kaddr = kmap(page); + nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1); + return kaddr; } int page_readlink(struct dentry *dentry, char __user *buffer, int buflen) |