[PATCH] name_count array overrun

Hi, This patch removes the rdev logging from the previous patch The below patch closes an unbounded use of name_count. This can lead to oopses in some new file systems. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Steve Grubb <sgrubb@redhat.com> 2006-09-28 14:31:32 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2006-10-04 08:31:21 -0400
commit: ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f (patch)
tree: f45d66fa60a02a9f5b32ea95a7d599cb1f175323
parent: 419c58f11fb732cc8bd1335fa43e0decb34e0be3 (diff)
1 files changed, 17 insertions, 2 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b61c0191f3da..42f2f1179711 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1357,7 +1357,13 @@ void __audit_inode_child(const char *dname, const struct inode *inode,
                }
 update_context:
-        idx = context->name_count++;
+        idx = context->name_count;
+        if (context->name_count == AUDIT_NAMES) {
+                printk(KERN_DEBUG "name_count maxed and losing %s\n",
+                        found_name ?: "(null)");
+                return;
+        }
+        context->name_count++;
 #if AUDIT_DEBUG
        context->ino_count++;
 #endif
@@ -1375,7 +1381,16 @@ update_context:
        /* A parent was not found in audit_names, so copy the inode data for the
         * provided parent. */
        if (!found_name) {
-                idx = context->name_count++;
+                idx = context->name_count;
+                if (context->name_count == AUDIT_NAMES) {
+                        printk(KERN_DEBUG
+                                "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
+                                MAJOR(parent->i_sb->s_dev),
+                                MINOR(parent->i_sb->s_dev),
+                                parent->i_ino);
+                        return;
+                }
+                context->name_count++;
 #if AUDIT_DEBUG
                context->ino_count++;
 #endif
author	Steve Grubb <sgrubb@redhat.com>	2006-09-28 14:31:32 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2006-10-04 08:31:21 -0400
commit	ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f (patch)
tree	f45d66fa60a02a9f5b32ea95a7d599cb1f175323
parent	419c58f11fb732cc8bd1335fa43e0decb34e0be3 (diff)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b61c0191f3da..42f2f1179711 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c
@@ -1357,7 +1357,13 @@ void __audit_inode_child(const char dname, const struct inode inode,
1357	}	1357	}
1358		1358
1359	update_context:	1359	update_context:
1360	idx = context->name_count++;	1360	idx = context->name_count;
		1361	if (context->name_count == AUDIT_NAMES) {
		1362	printk(KERN_DEBUG "name_count maxed and losing %s\n",
		1363	found_name ?: "(null)");
		1364	return;
		1365	}
		1366	context->name_count++;
1361	#if AUDIT_DEBUG	1367	#if AUDIT_DEBUG
1362	context->ino_count++;	1368	context->ino_count++;
1363	#endif	1369	#endif
@@ -1375,7 +1381,16 @@ update_context:
1375	/* A parent was not found in audit_names, so copy the inode data for the	1381	/* A parent was not found in audit_names, so copy the inode data for the
1376	* provided parent. */	1382	* provided parent. */
1377	if (!found_name) {	1383	if (!found_name) {
1378	idx = context->name_count++;	1384	idx = context->name_count;
		1385	if (context->name_count == AUDIT_NAMES) {
		1386	printk(KERN_DEBUG
		1387	"name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu",
		1388	MAJOR(parent->i_sb->s_dev),
		1389	MINOR(parent->i_sb->s_dev),
		1390	parent->i_ino);
		1391	return;
		1392	}
		1393	context->name_count++;
1379	#if AUDIT_DEBUG	1394	#if AUDIT_DEBUG
1380	context->ino_count++;	1395	context->ino_count++;
1381	#endif	1396	#endif