Hi,

As I've noticed, there isn't fixed the d_path() long name truncation 
vulnerability 
(http://cert.uni-stuttgart.de/archive/bugtraq/2002/03/msg00384.html) in 
2.4.x up to 2.4.19-pre5 (correct me if I'm wrong).

IMHO this trivial patch fixes it (patch against 2.4.18, no idea about 
2.2.x kernels, should be similar?) - instead of truncating the path with 
no error, caller gets ENAMETOOLONG.

I'm sorry if I've missed something.

Kind regards,

Jirka Kosina.

--- linux/fs/dcache.c.orig	Mon Feb 25 20:38:08 2002
+++ linux/fs/dcache.c	Mon Apr  1 04:16:45 2002
@@ -977,14 +977,17 @@
 		parent = dentry->d_parent;
 		namelen = dentry->d_name.len;
 		buflen -= namelen + 1;
-		if (buflen < 0)
-			break;
+		if (buflen < 0){
+			retval = ERR_PTR(-ENAMETOOLONG);
+			goto out;
+		}
 		end -= namelen;
 		memcpy(end, dentry->d_name.name, namelen);
 		*--end = '/';
 		retval = end;
 		dentry = parent;
 	}
+out:
 	return retval;
 global_root:
 	namelen = dentry->d_name.len;
@@ -993,6 +996,8 @@
 		retval -= namelen-1;	/* hit the slash */
 		memcpy(retval, dentry->d_name.name, namelen);
 	}
+	else
+		retval = ERR_PTR(-ENAMETOOLONG);
 	return retval;
 }
 
@@ -1042,8 +1047,11 @@
 		spin_unlock(&dcache_lock);
 
 		error = -ERANGE;
+		
+		if (cwd == ERR_PTR(-ENAMETOOLONG)) error = -ENAMETOOLONG;
+
 		len = PAGE_SIZE + page - cwd;
-		if (len <= size) {
+		if (len <= size && error != -ENAMETOOLONG) {
 			error = len;
 			if (copy_to_user(buf, cwd, len))
 				error = -EFAULT;



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/