[PATCH] Zero last byte of mount option page.

From: James Morris <jmorris@redhat.com> Here's a patch which zeroes the last byte of the mount option data copied from userspace during mount(2). For filesystems which parse mount options as strings (the majority), lack of a zero terminator could cause the page to be overrun. The source code comments specify that the maximum size of the mount data is PAGE_SIZE-1, so this patch will not affect any valid binary-formatted mount data.

[PATCH] Zero last byte of mount option page.
From: James Morris <jmorris@redhat.com> Here's a patch which zeroes the last byte of the mount option data copied from userspace during mount(2). For filesystems which parse mount options as strings (the majority), lack of a zero terminator could cause the page to be overrun. The source code comments specify that the maximum size of the mount data is PAGE_SIZE-1, so this patch will not affect any valid binary-formatted mount data.
d2ca78bb · Andrew Morton · Linus Torvalds · 81dcbaab · d2ca78bb
Commit d2ca78bb authored Feb 03, 2004 by Andrew Morton Committed by Linus Torvalds Feb 03, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

fs/namespace.c fs/namespace.c +3 -0

No files found.
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -755,6 +755,9 @@ long do_mount(char * dev_name, char * dir_name, char *type_page,
 	if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))
 		return -EINVAL;

+	if (data_page)
+		((char *)data_page)[PAGE_SIZE - 1] = 0;
+
 	/* Separate the per-mountpoint flags */
 	if (flags & MS_NOSUID)
 		mnt_flags |= MNT_NOSUID;