ceph: validate snapdirname option length when mounting

commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream. It becomes a path component, so it shouldn't exceed NAME_MAX characters. This was hardened in commit c152737be22b ("ceph: Use strscpy() instead of strcpy() in __get_snap_name()"), but no actual check was put in place. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Markuze <amarkuze@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ilya Dryomov <idryomov@gmail.com> 2024-11-20 16:43:51 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-27 13:58:56 +0100
commit: f006f6eaea7b1345d2d9ad579087d3f63ab72c36 (patch)
tree: a6c0ae4fed818de1e367397c29f7d178179df354 /fs
parent: 7094f3b6df924b33e2d6e7c9a87f2865f952184d (diff)
download: linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.tar.gz
linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.tar.bz2
linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index 4f51a2e74d07..29026ba4f022 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -427,6 +427,8 @@ static int ceph_parse_mount_param(struct fs_context *fc,
 
 	switch (token) {
 	case Opt_snapdirname:
+		if (strlen(param->string) > NAME_MAX)
+			return invalfc(fc, "snapdirname too long");
 		kfree(fsopt->snapdir_name);
 		fsopt->snapdir_name = param->string;
 		param->string = NULL;
author	Ilya Dryomov <idryomov@gmail.com>	2024-11-20 16:43:51 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-12-27 13:58:56 +0100
commit	f006f6eaea7b1345d2d9ad579087d3f63ab72c36 (patch)
tree	a6c0ae4fed818de1e367397c29f7d178179df354 /fs
parent	7094f3b6df924b33e2d6e7c9a87f2865f952184d (diff)
download	linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.tar.gz linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.tar.bz2 linux-f006f6eaea7b1345d2d9ad579087d3f63ab72c36.zip