netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch] 9p: strlen() doesn't count the terminator
@ 2010-07-10  9:51 Dan Carpenter
  2010-07-12 20:04 ` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2010-07-10  9:51 UTC (permalink / raw)
  To: Eric Van Hensbergen
  Cc: David S. Miller, Abhishek Kulkarni, Venkateswararao Jujjuri,
	linux-kernel, Tilman Sauerbeck, netdev, kernel-janitors

This is an off by one bug because strlen() doesn't count the NULL
terminator.  We strcpy() addr into a fixed length array of size
UNIX_PATH_MAX later on.

The addr variable is the name of the device being mounted.

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 98ce9bc..c85109d 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
 
 	csocket = NULL;
 
-	if (strlen(addr) > UNIX_PATH_MAX) {
+	if (strlen(addr) >= UNIX_PATH_MAX) {
 		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
 			addr);
 		return -ENAMETOOLONG;

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [patch] 9p: strlen() doesn't count the terminator
  2010-07-10  9:51 [patch] 9p: strlen() doesn't count the terminator Dan Carpenter
@ 2010-07-12 20:04 ` Andrew Morton
  2010-07-12 21:51   ` Dan Carpenter
  2010-07-13  3:34   ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2010-07-12 20:04 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Eric Van Hensbergen, David S. Miller, Abhishek Kulkarni,
	Venkateswararao Jujjuri, linux-kernel, Tilman Sauerbeck, netdev,
	kernel-janitors

On Sat, 10 Jul 2010 11:51:54 +0200
Dan Carpenter <error27@gmail.com> wrote:

> This is an off by one bug because strlen() doesn't count the NULL
> terminator.  We strcpy() addr into a fixed length array of size
> UNIX_PATH_MAX later on.
> 
> The addr variable is the name of the device being mounted.
> 
> CC: stable@kernel.org
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 
> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> index 98ce9bc..c85109d 100644
> --- a/net/9p/trans_fd.c
> +++ b/net/9p/trans_fd.c
> @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
>  
>  	csocket = NULL;
>  
> -	if (strlen(addr) > UNIX_PATH_MAX) {
> +	if (strlen(addr) >= UNIX_PATH_MAX) {
>  		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
>  			addr);
>  		return -ENAMETOOLONG;

This bug doesn't strike me as serious enough to warrant backporting the fix
into -stable.  What was your thinking there?

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch] 9p: strlen() doesn't count the terminator
  2010-07-12 20:04 ` Andrew Morton
@ 2010-07-12 21:51   ` Dan Carpenter
  2010-07-13  3:34   ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2010-07-12 21:51 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Eric Van Hensbergen, David S. Miller, Abhishek Kulkarni,
	Venkateswararao Jujjuri, linux-kernel, Tilman Sauerbeck, netdev,
	kernel-janitors

On Mon, Jul 12, 2010 at 01:04:58PM -0700, Andrew Morton wrote:
> > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> > index 98ce9bc..c85109d 100644
> > --- a/net/9p/trans_fd.c
> > +++ b/net/9p/trans_fd.c
> > @@ -948,7 +948,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
> >  
> >  	csocket = NULL;
> >  
> > -	if (strlen(addr) > UNIX_PATH_MAX) {
> > +	if (strlen(addr) >= UNIX_PATH_MAX) {
> >  		P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n",
> >  			addr);
> >  		return -ENAMETOOLONG;
> 
> This bug doesn't strike me as serious enough to warrant backporting the fix
> into -stable.  What was your thinking there?

I don't feel strongly about it.  It's safe enough and it applies
cleanly.  On the other hand, root should always control the name of the
device to mount so it's not a big deal.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch] 9p: strlen() doesn't count the terminator
  2010-07-12 20:04 ` Andrew Morton
  2010-07-12 21:51   ` Dan Carpenter
@ 2010-07-13  3:34   ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2010-07-13  3:34 UTC (permalink / raw)
  To: akpm
  Cc: error27, ericvh, adkulkar, jvrao, linux-kernel, tilman, netdev,
	kernel-janitors

From: Andrew Morton <akpm@linux-foundation.org>
Date: Mon, 12 Jul 2010 13:04:58 -0700

> This bug doesn't strike me as serious enough to warrant backporting the fix
> into -stable.  What was your thinking there?

Meanwhile I'll queue this up to net-next-2.6, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-07-13  3:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-10  9:51 [patch] 9p: strlen() doesn't count the terminator Dan Carpenter
2010-07-12 20:04 ` Andrew Morton
2010-07-12 21:51   ` Dan Carpenter
2010-07-13  3:34   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).