kernel/vfs: follow up for hrev54107
_user_read_link: don't write after the buffer end, anytime the buffer is too short. It should honor the user bufferSize, instead of using the link length. normalize_path: null-terminates when bufferSize is lower than B_PATH_NAME_LENGTH. Change-Id: If3892dc1ffc4aa7a79a333bbe607449ca409a7f0 Reviewed-on: https://review.haiku-os.org/c/haiku/+/2752 Reviewed-by: waddlesplash <waddlesplash@gmail.com>
This commit is contained in:
parent
8ba0b5eb9b
commit
10b5c00fca
@ -2249,7 +2249,7 @@ vnode_path_to_vnode(struct vnode* vnode, char* path, bool traverseLeafLink,
|
|||||||
bufferSize--;
|
bufferSize--;
|
||||||
status = FS_CALL(nextVnode, read_symlink, buffer, &bufferSize);
|
status = FS_CALL(nextVnode, read_symlink, buffer, &bufferSize);
|
||||||
// null-terminate
|
// null-terminate
|
||||||
if (status >= 0)
|
if (status >= 0 && bufferSize < B_PATH_NAME_LENGTH)
|
||||||
buffer[bufferSize] = '\0';
|
buffer[bufferSize] = '\0';
|
||||||
} else
|
} else
|
||||||
status = B_BAD_VALUE;
|
status = B_BAD_VALUE;
|
||||||
@ -2953,6 +2953,7 @@ normalize_path(char* path, size_t pathSize, bool traverseLink, bool kernel)
|
|||||||
error = FS_CALL(fileVnode, read_symlink, path, &bufferSize);
|
error = FS_CALL(fileVnode, read_symlink, path, &bufferSize);
|
||||||
if (error != B_OK)
|
if (error != B_OK)
|
||||||
return error;
|
return error;
|
||||||
|
if (bufferSize < B_PATH_NAME_LENGTH)
|
||||||
path[bufferSize] = '\0';
|
path[bufferSize] = '\0';
|
||||||
} else
|
} else
|
||||||
return B_BAD_VALUE;
|
return B_BAD_VALUE;
|
||||||
@ -9404,17 +9405,19 @@ _user_read_link(int fd, const char* userPath, char* userBuffer,
|
|||||||
bufferSize = B_PATH_NAME_LENGTH;
|
bufferSize = B_PATH_NAME_LENGTH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
size_t newBufferSize = bufferSize;
|
||||||
status_t status = common_read_link(fd, userPath ? path : NULL, buffer,
|
status_t status = common_read_link(fd, userPath ? path : NULL, buffer,
|
||||||
&bufferSize, false);
|
&newBufferSize, false);
|
||||||
|
|
||||||
// we also update the bufferSize in case of errors
|
// we also update the bufferSize in case of errors
|
||||||
// (the real length will be returned in case of B_BUFFER_OVERFLOW)
|
// (the real length will be returned in case of B_BUFFER_OVERFLOW)
|
||||||
if (user_memcpy(userBufferSize, &bufferSize, sizeof(size_t)) != B_OK)
|
if (user_memcpy(userBufferSize, &newBufferSize, sizeof(size_t)) != B_OK)
|
||||||
return B_BAD_ADDRESS;
|
return B_BAD_ADDRESS;
|
||||||
|
|
||||||
if (status != B_OK)
|
if (status != B_OK)
|
||||||
return status;
|
return status;
|
||||||
|
|
||||||
|
bufferSize = min_c(newBufferSize, bufferSize);
|
||||||
if (user_memcpy(userBuffer, buffer, bufferSize) != B_OK)
|
if (user_memcpy(userBuffer, buffer, bufferSize) != B_OK)
|
||||||
return B_BAD_ADDRESS;
|
return B_BAD_ADDRESS;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user