From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mike Waychison <mikew@google.com>
Subject: harden against corrupt symlinks
Date: Tue, 31 May 2005 16:02:46 -0700
Message-ID: <429CED16.2040406@google.com>
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------000409000608060709090206"
Cc: linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from 216-239-45-4.google.com ([216.239.45.4]:556 "EHLO
	216-239-45-4.google.com") by vger.kernel.org with ESMTP
	id S261208AbVEaXDM (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 31 May 2005 19:03:12 -0400
To: viro@parcelfarce.linux.theplanet.co.uk
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

This is a multi-part message in MIME format.
--------------000409000608060709090206
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi Al,

We've hit the situation a few times where a corrupt symlink could easily 
oops the kernel.  The problem was tracked down to an older e2fsutils 
that didn't do much sanity checking on symlinks during a fsck.  This 
patch uses strnlen when reading in the symlink and ensures that it 
doesn't exceed PATH_MAX.

Would you accept this kind of 'hardening'?

Signed-off-by: Mike Waychison <mikew@google.com>

--------------000409000608060709090206
Content-Type: text/plain;
 name="symlink_run_off.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="symlink_run_off.patch"

--- linux-2.6/fs/namei.c	2005-05-24 11:13:09.000000000 -0700
+++ linux-2.6/fs/namei.c	2005-05-24 11:13:12.000000000 -0700
@@ -1936,7 +1936,12 @@ int vfs_readlink(struct dentry *dentry, 
 	if (IS_ERR(link))
 		goto out;
 
-	len = strlen(link);
+	len = strnlen(link, PATH_MAX);
+	if (len == PATH_MAX) {
+		len = -ENAMETOOLONG;
+		goto out;
+	}
+
 	if (len > (unsigned) buflen)
 		len = buflen;
 	if (copy_to_user(buffer, link, len))
@@ -1953,6 +1958,11 @@ __vfs_follow_link(struct nameidata *nd, 
 	if (IS_ERR(link))
 		goto fail;
 
+	if (strnlen(link, PATH_MAX) == PATH_MAX) {
+		link = ERR_PTR(-ENAMETOOLONG);
+		goto fail;
+	}
+
 	if (*link == '/') {
 		path_release(nd);
 		if (!walk_init_root(link, nd))

--------------000409000608060709090206--