1

qnx4: Use get_directory_fname() in qnx4_match()

Use the new common directory entry name accessor helper to avoid
confusing the compiler about over-running the file name buffer. Avoids
false positive buffer overflow warning:

[ 4849.636861] detected buffer overflow in strlen
[ 4849.636897] ------------[ cut here ]------------
[ 4849.636902] kernel BUG at lib/string.c:1165!
...
[ 4849.637047] Call Trace:
...
[ 4849.637251]  qnx4_find_entry.cold+0xc/0x18 [qnx4]
[ 4849.637264]  qnx4_lookup+0x3c/0xa0 [qnx4]

Reported-by: Ronald Monthero <debug.penguin32@gmail.com>
Closes: https://lore.kernel.org/lkml/20231112095353.579855-1-debug.penguin32@gmail.com/
Acked-by: Anders Larsen <al@alarsen.net>
Link: https://lore.kernel.org/r/20231130205120.3642477-2-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook 2023-11-30 12:51:19 -08:00
parent 53853995c6
commit a75b3809dc

View File

@ -26,31 +26,24 @@
static int qnx4_match(int len, const char *name,
struct buffer_head *bh, unsigned long *offset)
{
struct qnx4_inode_entry *de;
int namelen, thislen;
union qnx4_directory_entry *de;
const char *fname;
int fnamelen;
if (bh == NULL) {
printk(KERN_WARNING "qnx4: matching unassigned buffer !\n");
return 0;
}
de = (struct qnx4_inode_entry *) (bh->b_data + *offset);
de = (union qnx4_directory_entry *) (bh->b_data + *offset);
*offset += QNX4_DIR_ENTRY_SIZE;
if ((de->di_status & QNX4_FILE_LINK) != 0) {
namelen = QNX4_NAME_MAX;
} else {
namelen = QNX4_SHORT_NAME_MAX;
}
thislen = strlen( de->di_fname );
if ( thislen > namelen )
thislen = namelen;
if (len != thislen) {
fname = get_entry_fname(de, &fnamelen);
if (!fname || len != fnamelen)
return 0;
}
if (strncmp(name, de->di_fname, len) == 0) {
if ((de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)) != 0) {
return 1;
}
}
if (strncmp(name, fname, len) == 0)
return 1;
return 0;
}