smack: off by one error

Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0

In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)

will put 65 bytes into subject.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
This commit is contained in:
Alan Cox 2012-07-26 14:47:11 -07:00 committed by James Morris
parent f7da9cdf45
commit 3b9fc37280

View file

@ -323,11 +323,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
int datalen;
int rc = -1;
/*
* This is probably inefficient, but safe.
*/
/* This is inefficient */
datalen = strlen(data);
subject = kzalloc(datalen, GFP_KERNEL);
/* Our first element can be 64 + \0 with no spaces */
subject = kzalloc(datalen + 1, GFP_KERNEL);
if (subject == NULL)
return -1;
object = kzalloc(datalen, GFP_KERNEL);