From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ryan Mallon <rmallon@gmail.com>
Subject: [PATCH][REPOST] Check maxlen on strnlen_user usage
Date: Thu, 08 Sep 2011 09:54:18 +1000
Message-ID: <4E68042A.1050406@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: linux-fsdevel@vger.kernel.org,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"trivial@kernel.org" <trivial@kernel.org>
To: Mark Salter <msalter@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>
Return-path: <linux-kernel-owner@vger.kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

strnlen_user returns the length of the string including the nul 
terminator. In the case where maxlen is reached strnlen_user returns 
maxlen + 1. Most callsites already check for this condition. Fix the 
call to strnlen_user in fs/exec.c to check for the maxlen case.

Signed-off-by: Ryan Mallon <rmallon@gmail.com>
---

diff --git a/fs/exec.c b/fs/exec.c
index 25dcbe5..e19588c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -481,7 +481,7 @@ static int copy_strings(int argc, struct 
user_arg_ptr argv,
  			goto out;

  		len = strnlen_user(str, MAX_ARG_STRLEN);
-		if (!len)
+		if (!len || len>  MAX_ARG_STRLEN)
  			goto out;

  		ret = -E2BIG;