• Jan Harkes's avatar
    fs/coda: fix readlink buffer overflow · 3725e9dd
    Jan Harkes authored
    Dan Carpenter discovered a buffer overflow in the Coda file system
    readlink code.  A userspace file system daemon can return a 4096 byte
    result which then triggers a one byte write past the allocated readlink
    result buffer.
    
    This does not trigger with an unmodified Coda implementation because Coda
    has a 1024 byte limit for symbolic links, however other userspace file
    systems using the Coda kernel module could be affected.
    
    Although this is an obvious overflow, I don't think this has to be handled
    as too sensitive from a security perspective because the overflow is on
    the Coda userspace daemon side which already needs root to open Coda's
    kernel device and to mount the file system before we get to the point that
    links can be read.
    
    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: default avatarJan Harkes <jaharkes@cs.cmu.edu>
    Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    3725e9dd
upcall.c 22.8 KB