smack: off by one error

commit 3b9fc37280c521b086943f9aedda767f5bf3b2d3 upstream

Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0

In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)

will put 65 bytes into subject.

Change-Id: I23f9eddde5747bb1dde6e3fd5a4fbe08fd152ff2
Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Reviewed-on: http://165.213.202.130:8080/53898
Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com>
Tested-by: Kyungmin Park <kyungmin.park@samsung.com>

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index eba1686875919f8bb34497852625eded3e56483e..dfd9d61eeba3e721985182ba22e4ccbe2e0df04a 100644 (file)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -344,11 +344,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
        int datalen;
        int rc = -1;
 
-       /*
-        * This is probably inefficient, but safe.
-        */
+       /* This is inefficient */
        datalen = strlen(data);
-       subject = kzalloc(datalen, GFP_KERNEL);
+
+       /* Our first element can be 64 + \0 with no spaces */
+       subject = kzalloc(datalen + 1, GFP_KERNEL);
        if (subject == NULL)
                return -1;
        object = kzalloc(datalen, GFP_KERNEL);