diff options
author | Steve Grubb <sgrubb@redhat.com> | 2006-09-28 14:31:32 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-10-04 08:31:21 -0400 |
commit | ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f (patch) | |
tree | f45d66fa60a02a9f5b32ea95a7d599cb1f175323 /kernel | |
parent | 419c58f11fb732cc8bd1335fa43e0decb34e0be3 (diff) | |
download | lwn-ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f.tar.gz lwn-ac9910ce017ff5f86f3a25e969b2c4f5d6ac438f.zip |
[PATCH] name_count array overrun
Hi,
This patch removes the rdev logging from the previous patch
The below patch closes an unbounded use of name_count. This can lead to oopses
in some new file systems.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/auditsc.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b61c0191f3da..42f2f1179711 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1357,7 +1357,13 @@ void __audit_inode_child(const char *dname, const struct inode *inode, } update_context: - idx = context->name_count++; + idx = context->name_count; + if (context->name_count == AUDIT_NAMES) { + printk(KERN_DEBUG "name_count maxed and losing %s\n", + found_name ?: "(null)"); + return; + } + context->name_count++; #if AUDIT_DEBUG context->ino_count++; #endif @@ -1375,7 +1381,16 @@ update_context: /* A parent was not found in audit_names, so copy the inode data for the * provided parent. */ if (!found_name) { - idx = context->name_count++; + idx = context->name_count; + if (context->name_count == AUDIT_NAMES) { + printk(KERN_DEBUG + "name_count maxed and losing parent inode data: dev=%02x:%02x, inode=%lu", + MAJOR(parent->i_sb->s_dev), + MINOR(parent->i_sb->s_dev), + parent->i_ino); + return; + } + context->name_count++; #if AUDIT_DEBUG context->ino_count++; #endif |