Re: [PATCH] 2.2.20: Avoid buffer overrun in quota warning

Jan Kara (jack@ucw.cz)
Fri, 14 Sep 2001 10:46:57 +0200


Hello,

> The quota code in several places does an sprintf() to a fixed (75 char)
> buffer, where one of the format arguments is a directory name. If your
> mountpoints have long enough names, this can easily overflow and
> corrupt data following the buffer.
>
> This has been fixed in 2.4, but not in 2.2.20pre. There are three ways
> to fix it:
>
> a) backport the delayed warning code from 2.4, which doesn't use sprintf
>
> b) increase the buffer size
>
> c) limit the %s directives in the sprintf() format string.
>
> Given that 2.2.20 is about to be frozen, this patch takes option b,
> increasing the buffer size to be equal to the maximum directory name
> length passed to mount() (PAGE_SIZE) plus some slop for the rest of the
> string to be printed. Maybe for 2.2.21 it might be worth backporting
> the delayed warning code.
Actually that delayed printing of quota messages isn't even in regular
2.4 - it's just in ac-patches. Regular 2.4 has just print_warning()
function which works rather the same way as printing in 2.2.
Currently I think that just increasing the buffer size is enough. If
someone really wanted the port from 2.4 I can make it but I'm really not sure
it's 2.2 thing and I'm not sure it's worth the work...

Honza

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/