Skip to content

Commit

Permalink
smack: off by one error
Browse files Browse the repository at this point in the history 
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0

In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)

will put 65 bytes into subject.

Signed-off-by: Alan Cox <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
Cc: [email protected]
Signed-off-by: James Morris <[email protected]>
  • Loading branch information
Alan Cox authored and James Morris committed Jul 30, 2012
1 parent f7da9cd commit 3b9fc37
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions security/smack/smackfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,11 +323,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
int datalen;
int rc = -1;

/*
* This is probably inefficient, but safe.
*/
/* This is inefficient */
datalen = strlen(data);
subject = kzalloc(datalen, GFP_KERNEL);

/* Our first element can be 64 + \0 with no spaces */
subject = kzalloc(datalen + 1, GFP_KERNEL);
if (subject == NULL)
return -1;
object = kzalloc(datalen, GFP_KERNEL);
Expand Down

0 comments on commit 3b9fc37

Please sign in to comment.