diff options
| author | Alan Cox <alan@linux.intel.com> | 2012-07-26 17:47:11 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-07-30 01:04:17 -0400 |
| commit | 3b9fc37280c521b086943f9aedda767f5bf3b2d3 (patch) | |
| tree | c76cc02753da4df5d11e516d8e9373e5f0426b24 | |
| parent | f7da9cdf45cbbad5029d4858dcbc0134e06084ed (diff) | |
smack: off by one error
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0
In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)
will put 65 bytes into subject.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
| -rw-r--r-- | security/smack/smackfs.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index d31e6d957c21..b1b768e4049a 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -323,11 +323,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule, | |||
| 323 | int datalen; | 323 | int datalen; |
| 324 | int rc = -1; | 324 | int rc = -1; |
| 325 | 325 | ||
| 326 | /* | 326 | /* This is inefficient */ |
| 327 | * This is probably inefficient, but safe. | ||
| 328 | */ | ||
| 329 | datalen = strlen(data); | 327 | datalen = strlen(data); |
| 330 | subject = kzalloc(datalen, GFP_KERNEL); | 328 | |
| 329 | /* Our first element can be 64 + \0 with no spaces */ | ||
| 330 | subject = kzalloc(datalen + 1, GFP_KERNEL); | ||
| 331 | if (subject == NULL) | 331 | if (subject == NULL) |
| 332 | return -1; | 332 | return -1; |
| 333 | object = kzalloc(datalen, GFP_KERNEL); | 333 | object = kzalloc(datalen, GFP_KERNEL); |