From mboxrd@z Thu Jan  1 00:00:00 1970
From: jim owens <jowens@hp.com>
Subject: Re: [PATCH] Btrfs: support security xattr with SELinux enabled
Date: Wed, 07 Jan 2009 19:22:58 -0500
Message-ID: <49654762.5050308@hp.com>
References: <49650E5A.3030602@hp.com> <20090107204846.GG5266@unused.rdu.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Cc: linux-btrfs <linux-btrfs@vger.kernel.org>
To: Josef Bacik <jbacik@redhat.com>
Return-path: <linux-btrfs-owner@vger.kernel.org>
In-Reply-To: <20090107204846.GG5266@unused.rdu.redhat.com>
List-ID: <linux-btrfs.vger.kernel.org>

Josef Bacik wrote:
> On Wed, Jan 07, 2009 at 03:19:38PM -0500, jim owens wrote:
>> +int btrfs_xattr_security_init(struct inode *inode, struct inode *dir)
>> +{
>> +	int err;
>> +	size_t len;
>> +	void *value;
>> +	char *suffix;
>> +	char *name;
>> +
>> +	err = security_inode_init_security(inode, dir, &suffix, &value, &len);
>> +	if (err) {
>> +		if (err == -EOPNOTSUPP)
>> +			return 0;
>> +		return err;
>> +	}
>> +
>> +	name = kmalloc(XATTR_SECURITY_PREFIX_LEN + strlen(suffix) + 1,
>> +		       GFP_NOFS);
> 
> Use kzalloc here otherwise the end of name could be some random thing and
> strlen() will read past the end of the memory.  Thanks,

I don't understand what you think can happen...

+        strcpy(name, XATTR_SECURITY_PREFIX);
+        strcpy(name + XATTR_SECURITY_PREFIX_LEN, suffix);

always forces "name" to be \0 terminated.

jim