[PATCH] d_path()

[PATCH] d_path()

[Benoit Timbert]

Hello,

I have found this advisory on BUGTRAQ about d_path() :
http://online.securityfocus.com/archive/1/264117


I have made the following modifications in the d_path() of
Linux 2.2.20 : d_path() return an empty string when the path is
too large.

--- /usr/src/linux/fs/dcache.c.orig	Fri Nov  2 17:39:08 2001
+++ /usr/src/linux/fs/dcache.c	Wed Mar 27 23:30:32 2002
@@ -794,8 +794,11 @@
 			break;
 		namelen = dentry->d_name.len;
 		buflen -= namelen + 1;
-		if (buflen < 0)
+		if (buflen < 0) {
+			/* FIXME : buffer overflow -> no return */
+			retval = buffer+buflen;
 			break;
+		}
 		end -= namelen;
 		memcpy(end, dentry->d_name.name, namelen);
 		*--end = '/';

---

I don't know, if it really fixes well the problem, but i tested the
proposed exploit on my patched kernel and getcwd() does return an error.

It is probable that you have already fixed this, in a better way.

Benoît Timbert

is http://bkbits.net down?

[Petko Manolov]

Is it some sort of scheduled maintenance or the mashine is just
down?
...or it is just my ISP?


		Petko

Re: is http://bkbits.net down?

[David S. Miller]

   From: Petko Manolov <pmanolov@Lnxw.COM>
   Date: Wed, 27 Mar 2002 16:42:13 -0800

   Is it some sort of scheduled maintenance or the mashine is just
   down?
   ...or it is just my ISP?

Yes, Larry sent an email earlier today to this list explaining what is
happening.  It's unfortunate that you did not read it.