From: James Morris <jmorris@redhat.com>

Here's a patch which zeroes the last byte of the mount option data copied
from userspace during mount(2).

For filesystems which parse mount options as strings (the majority), lack
of a zero terminator could cause the page to be overrun.  The source code
comments specify that the maximum size of the mount data is PAGE_SIZE-1, so
this patch will not affect any valid binary-formatted mount data.



---

 fs/namespace.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN fs/namespace.c~mount-option-overrun-fix fs/namespace.c
--- 25/fs/namespace.c~mount-option-overrun-fix	2004-01-25 23:45:10.000000000 -0800
+++ 25-akpm/fs/namespace.c	2004-01-25 23:45:10.000000000 -0800
@@ -763,6 +763,9 @@ long do_mount(char * dev_name, char * di
 	if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))
 		return -EINVAL;
 
+	if (data_page)
+		((char *)data_page)[PAGE_SIZE - 1] = 0;
+
 	/* Separate the per-mountpoint flags */
 	if (flags & MS_NOSUID)
 		mnt_flags |= MNT_NOSUID;

_