Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1972267ima; Thu, 25 Oct 2018 07:46:26 -0700 (PDT) X-Google-Smtp-Source: AJdET5fR1C3w3hoaWK0Eh2LV1M+CY6vvuRLpH5kSCxKTn1cI20rfjBCjxtXk0ycmfLlL/Y/aFS3N X-Received: by 2002:a17:902:bcc3:: with SMTP id o3-v6mr1835605pls.66.1540478786701; Thu, 25 Oct 2018 07:46:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540478786; cv=none; d=google.com; s=arc-20160816; b=rb42AS4n9SmtOwI78MniIoyuRn3xdzONSQaTsG5cMMLSjQ3pJbj6+bLbt6GotB7b67 3o6WCQSLSKduaFYKTE+WNQO+9XLjhILryNKcghYqxeDQQB75u//gZwd1sinuJ8DWc7fW f3XhvOOx/5KStveDdmAFX10/uSffQC6GLlmRn6sPEqj3ZAgecki9UsxwIJT05t17Ohfn mPG45zv0grGv7NAWcE4vOyVVH92a0mYZL7w7Ste2F3RVuUtj2DknX+Ia1xwvY/gFMXVR VQu4NS/0VCGt8q6xQs73MP/kp1KTDwUJu12+K3oOSu8Fe71qFCcUio85mJFa1fpVOaJb O0Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=iATyjqKRC+Yu/A7UA9lQlyMlH4Z5ywpeutvGnh0w11U=; b=KRpcumwlveGVDN4IDczU9GmX8HlwXks6gwOhqlOzFC88QVxlwd1c9ct9FK3NmQE3CO fc8Fi9gHEgG2egeHfJHf4dXqJSXrSTyUePihcNlwoBMtyhRYrwKP5iFIiT6J2uHw61Qk Cqme/1RHqyzqgp1I1iJvye5rOgiwSCxL023rSYLM42Nkg0XJYOGaQET478gZxL2wKTTo oumBQRshDFvZtpvmUmISz8xirZ/3BCFP0J8c0fTlbRSL+p5ug7gZCDuG5aEfW/bAHgvK hCyD6r0MY+TxOHK+HFejqHd4AuSWUdw3Lf8VhjcF9LzmQ8DlLmq+NBjLlJUHsPNTsnlB 5STg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O1Ws9hLZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o9-v6si8316105pfe.283.2018.10.25.07.46.07; Thu, 25 Oct 2018 07:46:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=O1Ws9hLZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728668AbeJYWrs (ORCPT + 99 others); Thu, 25 Oct 2018 18:47:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:55956 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728512AbeJYWrr (ORCPT ); Thu, 25 Oct 2018 18:47:47 -0400 Received: from sasha-vm.mshome.net (unknown [167.98.65.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C17422084A; Thu, 25 Oct 2018 14:14:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1540476890; bh=n+Hn9L4tMvWZ0fdB2FuinQMmbqlg8r0niWewoJQyOZs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O1Ws9hLZGqqAb47YaHggf3nInvKk5B8yrPZP2xbMnIDv+2onBKl/e36yrIgONRWM0 /iW6MxIvIy0WkR4N13Kofd1H1vL8x8megGeVWLveC49juBPFcMZ26QKWABno9fwx6H +qNeR86X1m2cpvMq1oIs+LtXVt1ZIK9BrAIc7Mvg= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dan Carpenter , Mike Marshall , Sasha Levin Subject: [PATCH AUTOSEL 4.9 16/98] orangefs: off by ones in xattr size checks Date: Thu, 25 Oct 2018 10:13:01 -0400 Message-Id: <20181025141423.213774-16-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181025141423.213774-1-sashal@kernel.org> References: <20181025141423.213774-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 5f13e58767a53ebb54265e03c0c4a67650286263 ] A previous patch which claimed to remove off by ones actually introduced them. strlen() returns the length of the string not including the NUL character. We are using strcpy() to copy "name" into a buffer which is ORANGEFS_MAX_XATTR_NAMELEN characters long. We should make sure to leave space for the NUL, otherwise we're writing one character beyond the end of the buffer. Fixes: e675c5ec51fe ("orangefs: clean up oversize xattr validation") Signed-off-by: Dan Carpenter Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin --- fs/orangefs/xattr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c index 237c9c04dc3b..a34b25be39c5 100644 --- a/fs/orangefs/xattr.c +++ b/fs/orangefs/xattr.c @@ -76,7 +76,7 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name, if (S_ISLNK(inode->i_mode)) return -EOPNOTSUPP; - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) return -EINVAL; fsuid = from_kuid(&init_user_ns, current_fsuid()); @@ -169,7 +169,7 @@ static int orangefs_inode_removexattr(struct inode *inode, const char *name, struct orangefs_kernel_op_s *new_op = NULL; int ret = -ENOMEM; - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) return -EINVAL; down_write(&orangefs_inode->xattr_sem); @@ -233,7 +233,7 @@ int orangefs_inode_setxattr(struct inode *inode, const char *name, if (size > ORANGEFS_MAX_XATTR_VALUELEN) return -EINVAL; - if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) + if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) return -EINVAL; internal_flag = convert_to_internal_xattr_flags(flags); -- 2.17.1