Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7147796ybi; Mon, 8 Jul 2019 15:36:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqzoKAReQusqM/St1BhhLfVLhMEJnZbFfFohmqcLpa1cdTQCRQTLfy1m8+UX3BiUGvFKBpzo X-Received: by 2002:a17:90a:9488:: with SMTP id s8mr22343733pjo.2.1562625367080; Mon, 08 Jul 2019 15:36:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625367; cv=none; d=google.com; s=arc-20160816; b=vJ+2tt9/e5GjwV8Uq6xLgEk9jRw0KcwYYp7asnp4DvSWnMMcLnjQ1ujuxFir1Q6nwv CKoh+dwtyjReAQEpG/7xPv9JX7AChVTeSLSFgF7oQumYSHe7BTKbed+nEeHE+Ie/AT/w vrLbGslcy+vu8tHV2SadSfCdt73s4QyHPhvO3PP6A9mQ0v/c1NqifNQrVb2vGulxDCqr 5K0KIzMA56hbyob8lyWDkOr+5X22EZjhavp8LUGBtjlLX1QBGsRVic5YUFp7Xck0QQAB Y229/NtZyze1/d9kVrXTPY5vAaRxrfU74nTMukJwNezwLtW9NUKPYKf9WPogeO7VYrge jS0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Sad+vO3iioJU3DyVVhIWnLTWYXMpO6NaVgV4VbmurSY=; b=gR1QOdiVoRMLRkGHXzdwHgKuo+LukTyUq84IVF2x6yzfsmDL301pBcU4Gae5Fg7n5F nN9nS8qhCgk97D997lRYenWlXj6AWUHHLhnBYKrSjzQx5OHAoIctqWGfc+wZKGmzdRkv VnZDnR8hharh5zqnl10RDOjTwNTArjacUHK7yMnQGDxicL8sIOGLQUn9nbb88fhIGgZM sei00kqi6hV94XWK8Ia0iXZEmCyzwznDULIfwAW/M+13xKizKw/I5HkVKomvzTxqYJim DwH6XJcy2wD47Zka94t+hKl2oM3tPb2iqi//PCMrJejwAidwtV+4gzRco4WCXUu7kxja ZsRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XdFYGuDG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 124si19512217pgg.581.2019.07.08.15.35.52; Mon, 08 Jul 2019 15:36:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XdFYGuDG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387503AbfGHPVT (ORCPT + 99 others); Mon, 8 Jul 2019 11:21:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:46696 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387463AbfGHPVL (ORCPT ); Mon, 8 Jul 2019 11:21:11 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4C2F4216E3; Mon, 8 Jul 2019 15:21:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599270; bh=BWQn4Y4qK6HbYLiSOpGlpq0TsqilyQe9mQ1+O4E9Qk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XdFYGuDGRq5nfGcHu6CMifsp7apQ2+/eP5qrBPGg/bDlpZP6xlaOPH2e9yzMV694P MNZ4fPsjzt78vp30hwzygmGnHwLc4r82oiNc5dFRYr08x9ysfLP+5KEh2P9h9HSQn5 q9ZnV+T/eOs4BZtDoNFE1yqd1+nGgOySuYACFHug= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , Sasha Levin Subject: [PATCH 4.9 043/102] 9p: p9dirent_read: check network-provided name length Date: Mon, 8 Jul 2019 17:12:36 +0200 Message-Id: <20190708150528.654850085@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150525.973820964@linuxfoundation.org> References: <20190708150525.973820964@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] strcpy to dirent->d_name could overflow the buffer, use strscpy to check the provided string length and error out if the size was too big. While we are here, make the function return an error when the pdu parsing failed, instead of returning the pdu offset as if it had been a success... Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/protocol.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index 7f1b45c082c9..ed1e39ccaebf 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, if (ret) { p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); trace_9p_protocol_dump(clnt, &fake_pdu); - goto out; + return ret; } - strcpy(dirent->d_name, nameptr); + ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); + if (ret < 0) { + p9_debug(P9_DEBUG_ERROR, + "On the wire dirent name too long: %s\n", + nameptr); + kfree(nameptr); + return ret; + } kfree(nameptr); -out: return fake_pdu.offset; } EXPORT_SYMBOL(p9dirent_read); -- 2.20.1