The maximal length for a rule line for long format is introduced as SMK_LOAD2LEN. Limiting the length of a rule line helps to avoid allocations of a very long contiguous buffer from a heap if user calls write() for a very long chunk. Such an allocation often causes a lot swapper/writeback havoc and it is very likely to fail.
Signed-off-by: Tomasz Stanislawski <t.stanisl...@samsung.com> --- security/smack/smackfs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 08aebc2..5dcd520 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -137,6 +137,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION; * SMK_ACCESS: Maximum possible combination of access permissions * SMK_ACCESSLEN: Maximum length for a rule access field * SMK_LOADLEN: Smack rule length + * SMK_LOAD2LEN: Smack maximal long rule length excluding \0 */ #define SMK_OACCESS "rwxa" #define SMK_ACCESS "rwxat" @@ -144,6 +145,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION; #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) +#define SMK_LOAD2LEN (2 * SMK_LONGLABEL + SMK_ACCESSLEN + 2) /* * Stricly for CIPSO level manipulation. @@ -459,6 +461,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf, if (*ppos != 0) return -EINVAL; + if (count > SMK_LOAD2LEN) + count = SMK_LOAD2LEN; + if (format == SMK_FIXED24_FMT) { /* * Minor hack for backward compatibility -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/