summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorAlan Cox <alan@linux.intel.com>2012-07-26 14:47:11 -0700
committerJames Morris <james.l.morris@oracle.com>2012-07-30 15:04:17 +1000
commit3b9fc37280c521b086943f9aedda767f5bf3b2d3 (patch)
treec76cc02753da4df5d11e516d8e9373e5f0426b24 /security
parentf7da9cdf45cbbad5029d4858dcbc0134e06084ed (diff)
downloadlwn-3b9fc37280c521b086943f9aedda767f5bf3b2d3.tar.gz
lwn-3b9fc37280c521b086943f9aedda767f5bf3b2d3.zip
smack: off by one error
Consider the input case of a rule that consists entirely of non space symbols followed by a \0. Say 64 + \0 In this case strlen(data) = 64 kzalloc of subject and object are 64 byte objects sscanfdata, "%s %s %s", subject, ...) will put 65 bytes into subject. Signed-off-by: Alan Cox <alan@linux.intel.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smackfs.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index d31e6d957c21..b1b768e4049a 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -323,11 +323,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
int datalen;
int rc = -1;
- /*
- * This is probably inefficient, but safe.
- */
+ /* This is inefficient */
datalen = strlen(data);
- subject = kzalloc(datalen, GFP_KERNEL);
+
+ /* Our first element can be 64 + \0 with no spaces */
+ subject = kzalloc(datalen + 1, GFP_KERNEL);
if (subject == NULL)
return -1;
object = kzalloc(datalen, GFP_KERNEL);