From: Alan Cox <alan@linux.intel.com>
Date: Thu, 26 Jul 2012 21:47:11 +0000 (-0700)
Subject: smack: off by one error
X-Git-Tag: upstream/snapshot3+hdmi~6927^2~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3b9fc37280c521b086943f9aedda767f5bf3b2d3;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

smack: off by one error

Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0

In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)

will put 65 bytes into subject.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
---

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index d31e6d9..b1b768e 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -323,11 +323,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
 	int datalen;
 	int rc = -1;
 
-	/*
-	 * This is probably inefficient, but safe.
-	 */
+	/* This is inefficient */
 	datalen = strlen(data);
-	subject = kzalloc(datalen, GFP_KERNEL);
+
+	/* Our first element can be 64 + \0 with no spaces */
+	subject = kzalloc(datalen + 1, GFP_KERNEL);
 	if (subject == NULL)
 		return -1;
 	object = kzalloc(datalen, GFP_KERNEL);