orangefs: strncpy -> strscpy
authorMartin Brandenburg <martin@omnibond.com>
Fri, 8 Apr 2016 17:33:21 +0000 (13:33 -0400)
committerMike Marshall <hubcap@omnibond.com>
Fri, 8 Apr 2016 18:10:34 +0000 (14:10 -0400)
It would have been possible for a rogue client-core to send in a symlink
target which is not NUL terminated. This returns EIO if the client-core
gives us corrupt data.

Leave debugfs and superblock code as is for now.

Other dcache.c and namei.c strncpy instances are safe because
ORANGEFS_NAME_MAX = NAME_MAX + 1; there is always enough space for a
name plus a NUL byte.

Signed-off-by: Martin Brandenburg <martin@omnibond.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
fs/orangefs/orangefs-utils.c

index 40f5163b56aa02142b4be4ed64eabd5a96ccfc18..f392a6a362b43ac709e35810b9cba6d870952a3e 100644 (file)
@@ -315,9 +315,13 @@ int orangefs_inode_getattr(struct inode *inode, int new, int size)
                        inode->i_size = (loff_t)strlen(new_op->
                            downcall.resp.getattr.link_target);
                        orangefs_inode->blksize = (1 << inode->i_blkbits);
-                       strlcpy(orangefs_inode->link_target,
+                       ret = strscpy(orangefs_inode->link_target,
                            new_op->downcall.resp.getattr.link_target,
                            ORANGEFS_NAME_MAX);
+                       if (ret == -E2BIG) {
+                               ret = -EIO;
+                               goto out;
+                       }
                        inode->i_link = orangefs_inode->link_target;
                }
                break;