diff options
| author | Xi Wang <xi.wang@gmail.com> | 2012-04-25 20:45:22 +0200 |
|---|---|---|
| committer | David Woodhouse <David.Woodhouse@intel.com> | 2012-05-14 06:05:15 +0200 |
| commit | 7c80c352331a27cf0584f1701ed3a003984985f0 (patch) | |
| tree | 3c90b8d5a23cf563fb40a9866bc8dcf11af4b2fc /security | |
| parent | mtd: cmdlinepart: fix commentary (diff) | |
| download | linux-7c80c352331a27cf0584f1701ed3a003984985f0.tar.xz linux-7c80c352331a27cf0584f1701ed3a003984985f0.zip | |
jffs2: validate symlink size in jffs2_do_read_inode_internal()
`csize' is read from disk and thus needs validation. Otherwise a bogus
value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into
kmalloc(0, ...), leading to out-of-bounds write.
This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used
in jffs2_symlink().
Artem: we actually validate csize by checking CRC, so this 0xFFs cannot
come from empty flash region. But I guess an attacker could feed JFFS2
an image with random csize value, including 0xFFs.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions