From mboxrd@z Thu Jan  1 00:00:00 1970
From: Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: [PATCH] fs: Check fsname's length in get_filesystem_list().
Date: Thu, 9 Apr 2009 22:02:13 +0100
Message-ID: <20090409210213.GG26366@ZenIV.linux.org.uk>
References: <200904092018.GDD69286.OVOLJSFtFOQMHF@I-love.SAKURA.ne.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: linux-fsdevel@vger.kernel.org
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:44561 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755954AbZDIVCP (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 9 Apr 2009 17:02:15 -0400
Content-Disposition: inline
In-Reply-To: <200904092018.GDD69286.OVOLJSFtFOQMHF@I-love.SAKURA.ne.jp>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Thu, Apr 09, 2009 at 08:18:11PM +0900, Tetsuo Handa wrote:
> Since "struct file_system_type"->name does not limit the max length,
> one might pass a name with strlen(name) >= 80.
> 
>   while (tmp && len < PAGE_SIZE - 80) {
>           len += sprintf(buf+len, "%s\t%s\n",
>                   (tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
>                   tmp->name);
> 
> This can cause buffer overrun if somebody builts in very very long filesystem
> name (as shown in example code below); although unlikely happens, for
> get_filesystem_list() is called only once upon boot.

Doctor, it hurts when I do it...