Menu
▾
▴
[fuse-devel] SETXATTR message size too large
|
From: sqweek <sq...@gm...> - 2008-07-04 04:00:06
|
Howdy,
If my inference is correct, fuse_setxattr is called with
size=strlen(name)+1 + strlen(value)+1. The fuse message itself is
initialised with 3 arguments - the fuse_setxattr_in struct, the name
of the attribute, and the value. However, the length of the value
argument is specified as size, not the length of the value string,
which results in a message that is larger than it should be (as well
as probably reading uninitilised memory off the end of value - is that
a potential vector for reading sensitive information in memory?).
Below is a patch for 2.7.3 to correct the problem. I've tested it
locally and the file server I was having problems with works again (it
doesn't even support setxattr, but asserts that the last byte in the
message is NUL).
--- a/kernel/dir.c Fri Jul 04 11:39:18 2008 +0800
+++ b/kernel/dir.c Fri Jul 04 11:39:32 2008 +0800
@@ -1169,7 +1169,7 @@ static int fuse_setxattr(struct dentry *
req->in.args[0].value = &inarg;
req->in.args[1].size = strlen(name) + 1;
req->in.args[1].value = name;
- req->in.args[2].size = size;
+ req->in.args[2].size = strlen(value) + 1;
req->in.args[2].value = value;
request_send(fc, req);
err = req->out.h.error;
-sqweek
|