Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7145273ybi; Mon, 8 Jul 2019 15:32:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqx5755gK6+2DtoFWo1NEa82mwqgpdLrfuF/GMTRldbT5b/i6fIvrtxUKMjv+MpxGotluYF7 X-Received: by 2002:a17:90a:d151:: with SMTP id t17mr28409939pjw.60.1562625170459; Mon, 08 Jul 2019 15:32:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625170; cv=none; d=google.com; s=arc-20160816; b=HA6YZttyZbQTZrKQUguroSVv5o/GStM9QiZ8GqpUqVOBZG35VgFNQgNbvhU7VVuKqI 8trwql1c0NaPanii1fJMTaquYsNv9eyD/7BcPsncBuGYSzy8GmwKAlWhXvwWORzYSSyy bk+IG34u8JxydebVCeoiFxzOlQ53+e0F96wbcuwMzUi+dxWrpxlczRDF/deFGM1IY457 qeh9ZLjI5cJ2qXr5uD5q+NGqi16nG9hck91Az41Y04WeOI3kTNPQ8pF1p3q++47vSKVL 81gbk+cWbhM+zyZi8c49x307NEe+9vwa3obO0E+OZgz2nU6Y7ModyQp7SV1VhTyEoqXn ZkiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Sad+vO3iioJU3DyVVhIWnLTWYXMpO6NaVgV4VbmurSY=; b=vOm/26E9KtpzsTz3y3ZZPpitETi4iKy76BsKlkR9VEPRYR3SgAWX/6oJNPfO4NJZkU i/Vgl2yVUtHNmRWxK118zC3LTL3O5Y8E+R020NFK+v/e6pUrjgxmHZ8LmwI/0qvZmtCj xIJUL5Y/OI6V6YbN6/OfTpt8hvj8CJk4QXJeoyGUnFaLj1GsYXvh9N0QjhSoyzyIRaGy OUsfQ7U+CbEzgAOqi8w/5M9xIe4tqRDF6mNWlfu+MfP3LhWUz2AIkuxvRySEyA8ar6nS pQe24dmioQX6NkNvwgbo1lBe/U5Y91WR5Y9AYi1hLYPz1X+tBYcYdVC1vXDZl1euOkV4 Pu7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IUZeVz6H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u10si19710179pgc.490.2019.07.08.15.32.35; Mon, 08 Jul 2019 15:32:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IUZeVz6H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728319AbfGHPSU (ORCPT + 99 others); Mon, 8 Jul 2019 11:18:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:42040 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733007AbfGHPSS (ORCPT ); Mon, 8 Jul 2019 11:18:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D500B21537; Mon, 8 Jul 2019 15:18:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599097; bh=BWQn4Y4qK6HbYLiSOpGlpq0TsqilyQe9mQ1+O4E9Qk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IUZeVz6HFh2BMrSSNRM8//lZIZMILlTFu94m9LjnNExMAh1rLJqc7aFiy12pUUp8G qeJzPUz4GtUdVhynvf4NjX1B6237e1vmU7fkwyQCyKlH1gAOMN//KqsGO7D+kQmvhC SD+JY4Ys2aUExTcF7k0kMTWFXY3V5MOkTLOeNDaQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , Sasha Levin Subject: [PATCH 4.4 34/73] 9p: p9dirent_read: check network-provided name length Date: Mon, 8 Jul 2019 17:12:44 +0200 Message-Id: <20190708150523.138424521@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150513.136580595@linuxfoundation.org> References: <20190708150513.136580595@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] strcpy to dirent->d_name could overflow the buffer, use strscpy to check the provided string length and error out if the size was too big. While we are here, make the function return an error when the pdu parsing failed, instead of returning the pdu offset as if it had been a success... Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/protocol.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index 7f1b45c082c9..ed1e39ccaebf 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, if (ret) { p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); trace_9p_protocol_dump(clnt, &fake_pdu); - goto out; + return ret; } - strcpy(dirent->d_name, nameptr); + ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); + if (ret < 0) { + p9_debug(P9_DEBUG_ERROR, + "On the wire dirent name too long: %s\n", + nameptr); + kfree(nameptr); + return ret; + } kfree(nameptr); -out: return fake_pdu.offset; } EXPORT_SYMBOL(p9dirent_read); -- 2.20.1