From: Xi Wang <xi.wang@gmail.com>
Date: Wed, 25 Apr 2012 18:45:22 +0000 (-0400)
Subject: jffs2: validate symlink size in jffs2_do_read_inode_internal()
X-Git-Tag: v3.5-rc1~8^2~43
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c80c352331a27cf0584f1701ed3a003984985f0;p=pandora-kernel.git

jffs2: validate symlink size in jffs2_do_read_inode_internal()

`csize' is read from disk and thus needs validation.  Otherwise a bogus
value 0xffffffff would turn the subsequent kmalloc(csize + 1, ...) into
kmalloc(0, ...), leading to out-of-bounds write.

This patch limits `csize' to JFFS2_MAX_NAME_LEN, which is also used
in jffs2_symlink().

Artem: we actually validate csize by checking CRC, so this 0xFFs cannot
come from empty flash region. But I guess an attacker could feed JFFS2
an image with random csize value, including 0xFFs.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---

Reading git-diff-tree failed