Jan Beulich
2010-Oct-07 09:28 UTC
[PATCH] fix (latent?) memory corruption in btrfs_encode_fh()
The earlier checks only cover the two smaller cases, and hence if the
caller specified size is less than what''s needed to fit
parent_root_objectid unrelated memory may get overwritten.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
---
fs/btrfs/export.c | 2 ++
1 file changed, 2 insertions(+)
--- linux-2.6.36-rc7/fs/btrfs/export.c
+++ 2.6.36-rc7-btrfs-encode-fh/fs/btrfs/export.c
@@ -46,6 +46,8 @@ static int btrfs_encode_fh(struct dentry
spin_unlock(&dentry->d_lock);
if (parent_root_id != fid->root_objectid) {
+ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
+ return 255;
fid->parent_root_objectid = parent_root_id;
len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
type = FILEID_BTRFS_WITH_PARENT_ROOT;
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html