Commit 30d1872d9eb3663b4cf7bdebcbf5cd465674cced
Committed by
Linus Torvalds
1 parent
2eaa9cfdf3
Exists in
master
and in
4 other branches
fat: fix buffer overflow in vfat_create_shortname()
When using the string representation of a random counter as part of the base name, ensure that it is no longer than 4 bytes. Since we are repeatedly decrementing the counter in a loop until we have found a unique base name, the counter may wrap around zero; therefore, it is not enough to mask its higher bits before entering the loop, this must be done inside the loop. [hirofumi@mail.parknet.co.jp: use snprintf()] Signed-off-by: Nikolaus Schulz <microschulz@web.de> Cc: stable@kernel.org Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 3 additions and 3 deletions Side-by-side Diff
fs/fat/namei_vfat.c
... | ... | @@ -309,7 +309,7 @@ |
309 | 309 | { |
310 | 310 | struct fat_mount_options *opts = &MSDOS_SB(dir->i_sb)->options; |
311 | 311 | wchar_t *ip, *ext_start, *end, *name_start; |
312 | - unsigned char base[9], ext[4], buf[8], *p; | |
312 | + unsigned char base[9], ext[4], buf[5], *p; | |
313 | 313 | unsigned char charbuf[NLS_MAX_CHARSET_SIZE]; |
314 | 314 | int chl, chi; |
315 | 315 | int sz = 0, extlen, baselen, i, numtail_baselen, numtail2_baselen; |
... | ... | @@ -467,7 +467,7 @@ |
467 | 467 | return 0; |
468 | 468 | } |
469 | 469 | |
470 | - i = jiffies & 0xffff; | |
470 | + i = jiffies; | |
471 | 471 | sz = (jiffies >> 16) & 0x7; |
472 | 472 | if (baselen > 2) { |
473 | 473 | baselen = numtail2_baselen; |
... | ... | @@ -476,7 +476,7 @@ |
476 | 476 | name_res[baselen + 4] = '~'; |
477 | 477 | name_res[baselen + 5] = '1' + sz; |
478 | 478 | while (1) { |
479 | - sprintf(buf, "%04X", i); | |
479 | + snprintf(buf, sizeof(buf), "%04X", i & 0xffff); | |
480 | 480 | memcpy(&name_res[baselen], buf, 4); |
481 | 481 | if (vfat_find_form(dir, name_res) < 0) |
482 | 482 | break; |