From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6402C5B57D for ; Tue, 2 Jul 2019 08:05:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AF20421841 for ; Tue, 2 Jul 2019 08:05:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054741; bh=6JELlpdRtT2e5Cin9nm3qRVbutrGHWvR+qFky6gYlj4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=rzvjmqlvd161IU5epv7je87+RUfAsVP11hV+WxLnG0YPe7z7+Yg6G9asiZPApVNJA hKSZ24KooR2FBRchSEJ+Sqyia8gHGm8sJ7V+e3OnCdsIvC4/pxks8dnIvkhgdWslxv Av0xZITDwk4Oo+0UmQ0M3RTon2fILDl0/9QsrGH4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727486AbfGBIFl (ORCPT ); Tue, 2 Jul 2019 04:05:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:51718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727454AbfGBIFe (ORCPT ); Tue, 2 Jul 2019 04:05:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2522621841; Tue, 2 Jul 2019 08:05:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054733; bh=6JELlpdRtT2e5Cin9nm3qRVbutrGHWvR+qFky6gYlj4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lqG3J1xHOXDYXTkbDKyGpKpk5MBxe3vvIjwpWNsjR5aHk49q2UydBmi3hQbI61tPI VeUPJMkbpv7G6vDOA0cQ9ZpLi9jJ32L7ycF2wbAik+6rxQg8xoAqQ1wUTU40nmNjaH UgSz6NA72iscUPuBgKt8InmSVMlWVeino995qcoU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , Sasha Levin Subject: [PATCH 4.19 17/72] 9p: p9dirent_read: check network-provided name length Date: Tue, 2 Jul 2019 10:01:18 +0200 Message-Id: <20190702080125.531909802@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190702080124.564652899@linuxfoundation.org> References: <20190702080124.564652899@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] strcpy to dirent->d_name could overflow the buffer, use strscpy to check the provided string length and error out if the size was too big. While we are here, make the function return an error when the pdu parsing failed, instead of returning the pdu offset as if it had been a success... Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/protocol.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index b4d80c533f89..462ba144cb39 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -623,13 +623,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, if (ret) { p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); trace_9p_protocol_dump(clnt, &fake_pdu); - goto out; + return ret; } - strcpy(dirent->d_name, nameptr); + ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); + if (ret < 0) { + p9_debug(P9_DEBUG_ERROR, + "On the wire dirent name too long: %s\n", + nameptr); + kfree(nameptr); + return ret; + } kfree(nameptr); -out: return fake_pdu.offset; } EXPORT_SYMBOL(p9dirent_read); -- 2.20.1