From: sqweek <sq...@gm...> - 2008-07-04 04:00:06
|
Howdy, If my inference is correct, fuse_setxattr is called with size=strlen(name)+1 + strlen(value)+1. The fuse message itself is initialised with 3 arguments - the fuse_setxattr_in struct, the name of the attribute, and the value. However, the length of the value argument is specified as size, not the length of the value string, which results in a message that is larger than it should be (as well as probably reading uninitilised memory off the end of value - is that a potential vector for reading sensitive information in memory?). Below is a patch for 2.7.3 to correct the problem. I've tested it locally and the file server I was having problems with works again (it doesn't even support setxattr, but asserts that the last byte in the message is NUL). --- a/kernel/dir.c Fri Jul 04 11:39:18 2008 +0800 +++ b/kernel/dir.c Fri Jul 04 11:39:32 2008 +0800 @@ -1169,7 +1169,7 @@ static int fuse_setxattr(struct dentry * req->in.args[0].value = &inarg; req->in.args[1].size = strlen(name) + 1; req->in.args[1].value = name; - req->in.args[2].size = size; + req->in.args[2].size = strlen(value) + 1; req->in.args[2].value = value; request_send(fc, req); err = req->out.h.error; -sqweek |