From 5640724e08121ccc6bdf0b61dd0fed53516b5581 Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Fri, 8 Dec 2017 17:32:02 -0800 Subject: [PATCH] fs/exfat: avoid setting 0 over buffer uniname utf8s_to_utf16s could return -EINVAL(-22), then uniname[i] = uniname[-22] = '\0' will corrupt other local variable. uniname is a local variable having different address everytime when call nls_cstring_to_uniname. so uniname[-22] could corrupt some different addresses. and also when filename reaches at maximum length, need to leave last one space in buffer for '\0' Change-Id: I44bbdd3249150ad5617c7cd13207cfa37b102a77 Signed-off-by: Shengzhe Zhao Signed-off-by: Shiyong Li Reviewed-on: https://gerrit.mot.com/1102179 SLTApproved: Slta Waiver SME-Granted: SME Approvals Granted Tested-by: Jira Key Reviewed-by: Igor Kovalenko Submit-Approved: Jira Key Reviewed-on: https://gerrit.mot.com/1276880 Reviewed-by: Hua Tan --- fs/exfat/exfat_nls.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/exfat/exfat_nls.c b/fs/exfat/exfat_nls.c index a48b3d05a7c4..a0ba86b63087 100644 --- a/fs/exfat/exfat_nls.c +++ b/fs/exfat/exfat_nls.c @@ -296,6 +296,9 @@ void nls_uniname_to_cstring(struct super_block *sb, u8 *p_cstring, UNI_NAME_T *p if (nls == NULL) { len = utf16s_to_utf8s(uniname, MAX_NAME_LENGTH, UTF16_HOST_ENDIAN, p_cstring, MAX_NAME_LENGTH); + if (len >= MAX_NAME_LENGTH * MAX_CHARSET_SIZE) + len--; + p_cstring[len] = 0; return; } @@ -360,7 +363,11 @@ void nls_cstring_to_uniname(struct super_block *sb, UNI_NAME_T *p_uniname, u8 *p #endif for (j = 0; j < i; j++) SET16_A(upname + j * 2, nls_upper(sb, uniname[j])); - uniname[i] = '\0'; + + if (i >= 0 && i < MAX_NAME_LENGTH) + uniname[i] = '\0'; + else + lossy = TRUE; } else { i = j = 0; -- 2.20.1