From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCBEFC5B57D for ; Tue, 2 Jul 2019 08:05:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A334D2186A for ; Tue, 2 Jul 2019 08:05:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054737; bh=6JELlpdRtT2e5Cin9nm3qRVbutrGHWvR+qFky6gYlj4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MtvsWiagWoqyV3nG+HBdPPbrtW6i1APsLs9T0Rs1js1IYDPNNJwdccec+gi/aNHTs nj2/k947mRpfDUlXBSn0OksmaKxQFLYLNGan7MhU46STox2C1qgilUXoJd1PoyerZG uw96zCezMRRifMjSvGWXLQDdsQ7oP1OUTtqUviEY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727978AbfGBIFf (ORCPT ); Tue, 2 Jul 2019 04:05:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:51718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727454AbfGBIFe (ORCPT ); Tue, 2 Jul 2019 04:05:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2522621841; Tue, 2 Jul 2019 08:05:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054733; bh=6JELlpdRtT2e5Cin9nm3qRVbutrGHWvR+qFky6gYlj4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lqG3J1xHOXDYXTkbDKyGpKpk5MBxe3vvIjwpWNsjR5aHk49q2UydBmi3hQbI61tPI VeUPJMkbpv7G6vDOA0cQ9ZpLi9jJ32L7ycF2wbAik+6rxQg8xoAqQ1wUTU40nmNjaH UgSz6NA72iscUPuBgKt8InmSVMlWVeino995qcoU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , Sasha Levin Subject: [PATCH 4.19 17/72] 9p: p9dirent_read: check network-provided name length Date: Tue, 2 Jul 2019 10:01:18 +0200 Message-Id: <20190702080125.531909802@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190702080124.564652899@linuxfoundation.org> References: <20190702080124.564652899@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org [ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] strcpy to dirent->d_name could overflow the buffer, use strscpy to check the provided string length and error out if the size was too big. While we are here, make the function return an error when the pdu parsing failed, instead of returning the pdu offset as if it had been a success... Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") Signed-off-by: Dominique Martinet Signed-off-by: Sasha Levin --- net/9p/protocol.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index b4d80c533f89..462ba144cb39 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -623,13 +623,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, if (ret) { p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); trace_9p_protocol_dump(clnt, &fake_pdu); - goto out; + return ret; } - strcpy(dirent->d_name, nameptr); + ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); + if (ret < 0) { + p9_debug(P9_DEBUG_ERROR, + "On the wire dirent name too long: %s\n", + nameptr); + kfree(nameptr); + return ret; + } kfree(nameptr); -out: return fake_pdu.offset; } EXPORT_SYMBOL(p9dirent_read); -- 2.20.1