Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2039327imm; Fri, 7 Sep 2018 09:53:03 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbsqI9YO9qEgJhtZJ1dtLckNtm1eMJza6VQ6fJ63eoiboWcLDPjYvhYvzn87Dh63ZNNRdjr X-Received: by 2002:a63:d04f:: with SMTP id s15-v6mr9173658pgi.42.1536339182927; Fri, 07 Sep 2018 09:53:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536339182; cv=none; d=google.com; s=arc-20160816; b=uOxg7nhOsMrHO3iihndVZO3jqapTnPiGGChkbHSzAASMkGNzcKZbTFqY3ay3ENjvLQ VVFS4opeuDjbQhdOQQrHWaN1J7qwQcA89Td7Sy/Aq836iawawWcfR52/8DsMMX+StQKN glYE1b+PczkHUB1au6z/1zKytQxStrjaodOGzGJYKQa6QjP5FRZh6h1kLwfBmEo7AQB8 Ym0idIX4KfiK4qw4nKPu2UCi6/Asp1Q6mE2Jn84umV32XvnQiNB/bAt1Z/wlJaCiBCzd GP4iQaklU/SN5D6CX3oDObd9TRKQZodyPXSJJebDAKhi+dKkJE+vWmzFAR0gjYTGSF5U 3+kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=B3Q1EeWLmIEclz64XNVYkcFxMUsXBHFbpj6heYdjupE=; b=IVZ4ZZU3zSvlJNIsrdiGktsSzDI77PvVLHoJlOq/RgrWVpByldIDBHT3RUYK+n96dJ XVLik2uupfRlXV6b40bM4CDNH1xE7HKlu9qHAdv0TTAr5yqgKn4PO6VLe2DH0SD1SxGu Ln/drZdeHqV4gMpfMY6xyqgO7N/Xj7X4v89Wf0hlxDolvmBHMWF2VHNYp4fPLTAF/cvx RJiZ3EnMMIkl9Ms1PxUWIDJ0Li0auZMnU70d99Pyc7Y5T8dMnfTqV6aMpowMjG3MgjXr 6vMklMEjvAJIn7gXa0vaZabgctub5/pSXO311gEFbSN7HazNZimd2gO6WBX4BIAMdo8k AavQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si9096539pld.145.2018.09.07.09.52.47; Fri, 07 Sep 2018 09:53:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727578AbeIGVdN (ORCPT + 99 others); Fri, 7 Sep 2018 17:33:13 -0400 Received: from nautica.notk.org ([91.121.71.147]:38094 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726002AbeIGVdB (ORCPT ); Fri, 7 Sep 2018 17:33:01 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 7BC17C01C; Fri, 7 Sep 2018 18:51:14 +0200 (CEST) From: Dominique Martinet To: v9fs-developer@lists.sourceforge.net, Eric Van Hensbergen , Latchesar Ionkov Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Dominique Martinet Subject: [PATCH 3/4] 9p: p9dirent_read: check network-provided name length Date: Fri, 7 Sep 2018 18:50:56 +0200 Message-Id: <1536339057-21974-4-git-send-email-asmadeus@codewreck.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1536339057-21974-1-git-send-email-asmadeus@codewreck.org> References: <1536339057-21974-1-git-send-email-asmadeus@codewreck.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dominique Martinet strcpy to dirent->d_name could overflow the buffer, use strscpy to check the provided string length and error out if the size was too big. While we are here, make the function return an error when the pdu parsing failed, instead of returning the pdu offset as if it had been a success... Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") Signed-off-by: Dominique Martinet --- net/9p/protocol.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index b4d80c533f89..462ba144cb39 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -623,13 +623,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, if (ret) { p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); trace_9p_protocol_dump(clnt, &fake_pdu); - goto out; + return ret; } - strcpy(dirent->d_name, nameptr); + ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); + if (ret < 0) { + p9_debug(P9_DEBUG_ERROR, + "On the wire dirent name too long: %s\n", + nameptr); + kfree(nameptr); + return ret; + } kfree(nameptr); -out: return fake_pdu.offset; } EXPORT_SYMBOL(p9dirent_read); -- 2.17.1