Module Name: src Committed By: hannken Date: Fri Nov 20 10:08:47 UTC 2020
Modified Files: src/sys/coda: coda_vfsops.c Log Message: When validating the mount device string make sure its length is below *data_len and below PATH_MAX. Reported-by: syzbot+2d3af801141509cc8...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/sys/coda/coda_vfsops.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/coda/coda_vfsops.c diff -u src/sys/coda/coda_vfsops.c:1.88 src/sys/coda/coda_vfsops.c:1.89 --- src/sys/coda/coda_vfsops.c:1.88 Sat Nov 14 11:41:29 2020 +++ src/sys/coda/coda_vfsops.c Fri Nov 20 10:08:47 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $ */ +/* $NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $ */ /* * @@ -45,7 +45,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $"); +__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -197,7 +197,11 @@ coda_mount(struct mount *vfsp, /* Alloca * fixed default size for the filename buffer. */ /* Ensure that namei() doesn't run off the filename buffer */ - ((char *)data)[*data_len - 1] = 0; + if (*data_len < 1 || *data_len > PATH_MAX || + strnlen(data, *data_len) >= *data_len) { + MARK_INT_FAIL(CODA_MOUNT_STATS); + return EINVAL; + } error = namei_simple_kernel((char *)data, NSM_FOLLOW_NOEMULROOT, &dvp);