summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDuane Griffin <duaneg@dghda.com>2008-12-19 21:47:12 +0100
committerAl Viro <viro@zeniv.linux.org.uk>2009-01-01 00:07:39 +0100
commitebd09abbd9699f328165aee50a070403fbf55a37 (patch)
treea253ba391180a3eed580a493eb831aaae167c837
parentvfs: introduce helper function to safely NUL-terminate symlinks (diff)
downloadlinux-ebd09abbd9699f328165aee50a070403fbf55a37.tar.xz
linux-ebd09abbd9699f328165aee50a070403fbf55a37.zip
vfs: ensure page symlinks are NUL-terminated
On-disk data corruption could cause a page link to have its i_size set to PAGE_SIZE (or a multiple thereof) and its contents all non-NUL. NUL-terminate the link name to ensure this doesn't cause further problems for the kernel. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Duane Griffin <duaneg@dghda.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/namei.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/namei.c b/fs/namei.c
index ab441af4196b..9ed5e2818f80 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2786,13 +2786,16 @@ int vfs_follow_link(struct nameidata *nd, const char *link)
/* get the link contents into pagecache */
static char *page_getlink(struct dentry * dentry, struct page **ppage)
{
- struct page * page;
+ char *kaddr;
+ struct page *page;
struct address_space *mapping = dentry->d_inode->i_mapping;
page = read_mapping_page(mapping, 0, NULL);
if (IS_ERR(page))
return (char*)page;
*ppage = page;
- return kmap(page);
+ kaddr = kmap(page);
+ nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
+ return kaddr;
}
int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)