From: Mark Fasheh <mfasheh@suse.com>
Date: Thu, 24 Jul 2008 16:20:14 +0000 (-0400)
Subject: Btrfs: Null terminate strings passed in from userspace
X-Git-Tag: v2.6.29-rc1~27^2~9^2~55^2~56^2~30^2~91
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5516e5957f4b99b19fffffa53bf9fbe7cc793249;p=pandora-kernel.git

Btrfs: Null terminate strings passed in from userspace

The 'char name[BTRFS_PATH_NAME_MAX]' member of struct btrfs_ioctl_vol_args
is passed directly to strlen() after being copied from user. I haven't
verified this, but in theory a userspace program could pass in an
unterminated string and cause a kernel crash as strlen walks off the end of
the array.

This patch terminates the ->name string in all btrfs ioctl functions which
currently use a 'struct btrfs_ioctl_vol_args'. Since the string is now
properly terminated, it's length will never be longer than
BTRFS_PATH_NAME_MAX so that error check has been removed.

By the way, it might be better overall to just have the ioctl pass an
unterminated string + length structure but I didn't bother with that since
it'd change the kernel/user interface.

Signed-off-by: Mark Fasheh <mfasheh@suse.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
---

Reading git-diff-tree failed