kernel/vfs: follow up for hrev54107

_user_read_link: don't write after the buffer end, anytime the buffer is too
short. It should honor the user bufferSize, instead of using the link length.
normalize_path: null-terminates when bufferSize is lower than B_PATH_NAME_LENGTH.

Change-Id: If3892dc1ffc4aa7a79a333bbe607449ca409a7f0
Reviewed-on: https://review.haiku-os.org/c/haiku/+/2752
Reviewed-by: waddlesplash <waddlesplash@gmail.com>
This commit is contained in:
Jérôme Duval 2020-05-20 18:50:06 +02:00 committed by waddlesplash
parent 8ba0b5eb9b
commit 10b5c00fca

View File

@ -2249,7 +2249,7 @@ vnode_path_to_vnode(struct vnode* vnode, char* path, bool traverseLeafLink,
bufferSize--; bufferSize--;
status = FS_CALL(nextVnode, read_symlink, buffer, &bufferSize); status = FS_CALL(nextVnode, read_symlink, buffer, &bufferSize);
// null-terminate // null-terminate
if (status >= 0) if (status >= 0 && bufferSize < B_PATH_NAME_LENGTH)
buffer[bufferSize] = '\0'; buffer[bufferSize] = '\0';
} else } else
status = B_BAD_VALUE; status = B_BAD_VALUE;
@ -2953,6 +2953,7 @@ normalize_path(char* path, size_t pathSize, bool traverseLink, bool kernel)
error = FS_CALL(fileVnode, read_symlink, path, &bufferSize); error = FS_CALL(fileVnode, read_symlink, path, &bufferSize);
if (error != B_OK) if (error != B_OK)
return error; return error;
if (bufferSize < B_PATH_NAME_LENGTH)
path[bufferSize] = '\0'; path[bufferSize] = '\0';
} else } else
return B_BAD_VALUE; return B_BAD_VALUE;
@ -9404,17 +9405,19 @@ _user_read_link(int fd, const char* userPath, char* userBuffer,
bufferSize = B_PATH_NAME_LENGTH; bufferSize = B_PATH_NAME_LENGTH;
} }
size_t newBufferSize = bufferSize;
status_t status = common_read_link(fd, userPath ? path : NULL, buffer, status_t status = common_read_link(fd, userPath ? path : NULL, buffer,
&bufferSize, false); &newBufferSize, false);
// we also update the bufferSize in case of errors // we also update the bufferSize in case of errors
// (the real length will be returned in case of B_BUFFER_OVERFLOW) // (the real length will be returned in case of B_BUFFER_OVERFLOW)
if (user_memcpy(userBufferSize, &bufferSize, sizeof(size_t)) != B_OK) if (user_memcpy(userBufferSize, &newBufferSize, sizeof(size_t)) != B_OK)
return B_BAD_ADDRESS; return B_BAD_ADDRESS;
if (status != B_OK) if (status != B_OK)
return status; return status;
bufferSize = min_c(newBufferSize, bufferSize);
if (user_memcpy(userBuffer, buffer, bufferSize) != B_OK) if (user_memcpy(userBuffer, buffer, bufferSize) != B_OK)
return B_BAD_ADDRESS; return B_BAD_ADDRESS;