From: Eric Whitney <enwlinux@gmail.com>
To: linux-ext4@vger.kernel.org
Cc: tytso@mit.edu
Subject: [PATCH] libext2fs: fix inode cache overruns
Date: Sat, 17 Nov 2012 13:37:45 -0500 [thread overview]
Message-ID: <20121117183745.GA8489@wallace> (raw)
An inode cache slot will be overrun if a caller to ext2fs_read_inode_full()
or ext2fs_write_inode_full() attempts to read or write a full sized 156
byte inode when the target filesystem contains 128 byte inodes. Limit the
copied inode to the smaller of the target filesystem's or the caller's
requested inode size.
Signed-off-by: Eric Whitney <enwlinux@gmail.com>
---
lib/ext2fs/inode.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/ext2fs/inode.c b/lib/ext2fs/inode.c
index 0ea210e..e47d664 100644
--- a/lib/ext2fs/inode.c
+++ b/lib/ext2fs/inode.c
@@ -582,7 +582,8 @@ errcode_t ext2fs_read_inode_full(ext2_filsys fs, ext2_ino_t ino,
/* Check to see if it's in the inode cache */
for (i = 0; i < fs->icache->cache_size; i++) {
if (fs->icache->cache[i].ino == ino) {
- memcpy(inode, fs->icache->cache[i].inode, bufsize);
+ memcpy(inode, fs->icache->cache[i].inode,
+ (bufsize > length) ? length : bufsize);
return 0;
}
}
@@ -649,7 +650,7 @@ errcode_t ext2fs_read_inode_full(ext2_filsys fs, ext2_ino_t ino,
/* Update the inode cache bookkeeping */
fs->icache->cache_last = cache_slot;
fs->icache->cache[cache_slot].ino = ino;
- memcpy(inode, iptr, bufsize);
+ memcpy(inode, iptr, (bufsize > length) ? length : bufsize);
return 0;
}
@@ -705,7 +706,7 @@ errcode_t ext2fs_write_inode_full(ext2_filsys fs, ext2_ino_t ino,
for (i=0; i < fs->icache->cache_size; i++) {
if (fs->icache->cache[i].ino == ino) {
memcpy(fs->icache->cache[i].inode, inode,
- bufsize);
+ (bufsize > length) ? length : bufsize);
break;
}
}
--
1.7.10.4
next reply other threads:[~2012-11-17 18:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-17 18:37 Eric Whitney [this message]
2012-11-29 23:14 ` [PATCH] libext2fs: fix inode cache overruns Eric Whitney
2012-11-30 1:46 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121117183745.GA8489@wallace \
--to=enwlinux@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).