Commit c2183d1e authored by Miklos Szeredi's avatar Miklos Szeredi

fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
message processing could overrun and result in a "kernel BUG at
fs/fuse/dev.c:629!"
Reported-by: default avatarHan-Wen Nienhuys <hanwenn@gmail.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org
parent 478e0841
...@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size, ...@@ -1358,6 +1358,10 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
if (outarg.namelen > FUSE_NAME_MAX) if (outarg.namelen > FUSE_NAME_MAX)
goto err; goto err;
err = -EINVAL;
if (size != sizeof(outarg) + outarg.namelen + 1)
goto err;
name.name = buf; name.name = buf;
name.len = outarg.namelen; name.len = outarg.namelen;
err = fuse_copy_one(cs, buf, outarg.namelen + 1); err = fuse_copy_one(cs, buf, outarg.namelen + 1);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment