On Wednesday, January 10, 2001 12:38:34 PM -0500 Alexander Viro <[EMAIL PROTECTED]> wrote: > On Wed, 10 Jan 2001, Chris Mason wrote: > >> In filldir, I don't like the line where we ((char *)dirent += reclen ; >> If reclen is much larger than the buffer sent from userspace, I don't >> see how we stay in bounds. > > So? copy_to_user() and put_user() will refuse to scramble the > kernel memory. IOW, dirent can be out of the userspace. Hell, user could > call getdents() and pass it a kernel pointer. Try it and you'll see what > happens. > Ah thanks, that makes more sense. But, copy_to_user is only working on namelen bytes, and reclen is bigger than that. So, who is checking the value for the buf->current_dir pointer? -chris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
- Re: [reiserfs-list] major security bug in reiserfs (m... Chris Mason
- Re: [reiserfs-list] major security bug in reiser... David Ford
- Re: [reiserfs-list] major security bug in reiser... Alexander Viro
- Re: [reiserfs-list] major security bug in re... Chris Mason
- Re: [reiserfs-list] major security bug i... Alexander Viro
- Re: [reiserfs-list] major security b... Chris Mason
- Re: [reiserfs-list] major secur... Alexander Viro
- Re: [reiserfs-list] major security bug in re... Andrea Arcangeli
- Re: [reiserfs-list] major security bug in reiser... Vladimir V. Saveliev
- Re: [reiserfs-list] major security bug in re... Chris Mason
- Re: [reiserfs-list] major security bug i... Vladimir V. Saveliev
- Re: [reiserfs-list] major security bug in re... Stefan Traby
- Re: [reiserfs-list] major security bug i... Stefan Traby
- Re: [reiserfs-list] major security bug in reiser... Chris Mason
- Re: [reiserfs-list] major security bug in re... Hans Reiser