![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Paul Menage <pmenage@ensim.com> To: alan@redhat.com, Jan Kara <jack@suse.cz> Subject: [PATCH] 2.2.20: Avoid buffer overrun in quota warning Date: Thu, 13 Sep 2001 18:50:01 -0700 Cc: pmenage@ensim.com, linux-kernel@vger.kernel.org The quota code in several places does an sprintf() to a fixed (75 char) buffer, where one of the format arguments is a directory name. If your mountpoints have long enough names, this can easily overflow and corrupt data following the buffer. This has been fixed in 2.4, but not in 2.2.20pre. There are three ways to fix it: a) backport the delayed warning code from 2.4, which doesn't use sprintf b) increase the buffer size c) limit the %s directives in the sprintf() format string. Given that 2.2.20 is about to be frozen, this patch takes option b, increasing the buffer size to be equal to the maximum directory name length passed to mount() (PAGE_SIZE) plus some slop for the rest of the string to be printed. Maybe for 2.2.21 it might be worth backporting the delayed warning code. Paul --- linux.orig/include/linux/quota.h Tue Jun 12 00:56:52 2001 +++ linux/include/linux/quota.h Thu Sep 13 18:21:23 2001 @@ -155,7 +155,7 @@ * Maximum length of a message generated in the quota system, * that needs to be kicked onto the tty. */ -#define MAX_QUOTA_MESSAGE 75 +#define MAX_QUOTA_MESSAGE (PAGE_SIZE + 256) #define DQ_LOCKED 0x01 /* locked for update */ #define DQ_WANT 0x02 /* wanted for update */ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/