Module Name: src
Committed By: hannken
Date: Fri Nov 20 10:08:47 UTC 2020
Modified Files:
src/sys/coda: coda_vfsops.c
Log Message:
When validating the mount device string make sure its length
is below *data_len and below PATH_MAX.
Reported-by: syzbot+2d3af801141509cc8...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/sys/coda/coda_vfsops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/coda/coda_vfsops.c
diff -u src/sys/coda/coda_vfsops.c:1.88 src/sys/coda/coda_vfsops.c:1.89
--- src/sys/coda/coda_vfsops.c:1.88 Sat Nov 14 11:41:29 2020
+++ src/sys/coda/coda_vfsops.c Fri Nov 20 10:08:47 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $ */
+/* $NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $ */
/*
*
@@ -45,7 +45,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.88 2020/11/14 11:41:29 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: coda_vfsops.c,v 1.89 2020/11/20 10:08:47 hannken Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -197,7 +197,11 @@ coda_mount(struct mount *vfsp, /* Alloca
* fixed default size for the filename buffer.
*/
/* Ensure that namei() doesn't run off the filename buffer */
- ((char *)data)[*data_len - 1] = 0;
+ if (*data_len < 1 || *data_len > PATH_MAX ||
+ strnlen(data, *data_len) >= *data_len) {
+ MARK_INT_FAIL(CODA_MOUNT_STATS);
+ return EINVAL;
+ }
error = namei_simple_kernel((char *)data, NSM_FOLLOW_NOEMULROOT,
&dvp);
