diff options
author | Igor Kozhukhov <[email protected]> | 2016-06-15 14:28:36 -0700 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2016-06-28 13:47:03 -0700 |
commit | eca7b76001a7d33f78bd98884aef8325bdbf98e7 (patch) | |
tree | bdcd0489c5a6c7840258c4c6063c9a4903bec256 /module/zfs/zfs_ctldir.c | |
parent | 43e52eddb13d8accbd052fac9a242ce979531aa4 (diff) |
OpenZFS 6314 - buffer overflow in dsl_dataset_name
Reviewed by: George Wilson <[email protected]>
Reviewed by: Prakash Surya <[email protected]>
Reviewed by: Igor Kozhukhov <[email protected]>
Approved by: Dan McDonald <[email protected]>
Ported-by: Brian Behlendorf <[email protected]>
OpenZFS-issue: https://www.illumos.org/issues/6314
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/d6160ee
Diffstat (limited to 'module/zfs/zfs_ctldir.c')
-rw-r--r-- | module/zfs/zfs_ctldir.c | 56 |
1 files changed, 30 insertions, 26 deletions
diff --git a/module/zfs/zfs_ctldir.c b/module/zfs/zfs_ctldir.c index e47cfc878..d279d1828 100644 --- a/module/zfs/zfs_ctldir.c +++ b/module/zfs/zfs_ctldir.c @@ -749,12 +749,13 @@ zfsctl_snapshot_path_objset(zfs_sb_t *zsb, uint64_t objsetid, return (ENOENT); cookie = spl_fstrans_mark(); - snapname = kmem_alloc(MAXNAMELEN, KM_SLEEP); + snapname = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); while (error == 0) { dsl_pool_config_enter(dmu_objset_pool(os), FTAG); - error = dmu_snapshot_list_next(zsb->z_os, MAXNAMELEN, - snapname, &id, &pos, &case_conflict); + error = dmu_snapshot_list_next(zsb->z_os, + ZFS_MAX_DATASET_NAME_LEN, snapname, &id, &pos, + &case_conflict); dsl_pool_config_exit(dmu_objset_pool(os), FTAG); if (error) goto out; @@ -767,7 +768,7 @@ zfsctl_snapshot_path_objset(zfs_sb_t *zsb, uint64_t objsetid, snprintf(full_path, path_len - 1, "%s/.zfs/snapshot/%s", zsb->z_mntopts->z_mntpoint, snapname); out: - kmem_free(snapname, MAXNAMELEN); + kmem_free(snapname, ZFS_MAX_DATASET_NAME_LEN); spl_fstrans_unmark(cookie); return (error); @@ -854,14 +855,14 @@ zfsctl_snapdir_rename(struct inode *sdip, char *snm, ZFS_ENTER(zsb); - to = kmem_alloc(MAXNAMELEN, KM_SLEEP); - from = kmem_alloc(MAXNAMELEN, KM_SLEEP); - real = kmem_alloc(MAXNAMELEN, KM_SLEEP); - fsname = kmem_alloc(MAXNAMELEN, KM_SLEEP); + to = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); + from = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); + real = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); + fsname = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); if (zsb->z_case == ZFS_CASE_INSENSITIVE) { error = dmu_snapshot_realname(zsb->z_os, snm, real, - MAXNAMELEN, NULL); + ZFS_MAX_DATASET_NAME_LEN, NULL); if (error == 0) { snm = real; } else if (error != ENOTSUP) { @@ -871,9 +872,11 @@ zfsctl_snapdir_rename(struct inode *sdip, char *snm, dmu_objset_name(zsb->z_os, fsname); - error = zfsctl_snapshot_name(ITOZSB(sdip), snm, MAXNAMELEN, from); + error = zfsctl_snapshot_name(ITOZSB(sdip), snm, + ZFS_MAX_DATASET_NAME_LEN, from); if (error == 0) - error = zfsctl_snapshot_name(ITOZSB(tdip), tnm, MAXNAMELEN, to); + error = zfsctl_snapshot_name(ITOZSB(tdip), tnm, + ZFS_MAX_DATASET_NAME_LEN, to); if (error == 0) error = zfs_secpolicy_rename_perms(from, to, cr); if (error != 0) @@ -903,10 +906,10 @@ zfsctl_snapdir_rename(struct inode *sdip, char *snm, rw_exit(&zfs_snapshot_lock); out: - kmem_free(from, MAXNAMELEN); - kmem_free(to, MAXNAMELEN); - kmem_free(real, MAXNAMELEN); - kmem_free(fsname, MAXNAMELEN); + kmem_free(from, ZFS_MAX_DATASET_NAME_LEN); + kmem_free(to, ZFS_MAX_DATASET_NAME_LEN); + kmem_free(real, ZFS_MAX_DATASET_NAME_LEN); + kmem_free(fsname, ZFS_MAX_DATASET_NAME_LEN); ZFS_EXIT(zsb); @@ -929,12 +932,12 @@ zfsctl_snapdir_remove(struct inode *dip, char *name, cred_t *cr, int flags) ZFS_ENTER(zsb); - snapname = kmem_alloc(MAXNAMELEN, KM_SLEEP); - real = kmem_alloc(MAXNAMELEN, KM_SLEEP); + snapname = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); + real = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); if (zsb->z_case == ZFS_CASE_INSENSITIVE) { error = dmu_snapshot_realname(zsb->z_os, name, real, - MAXNAMELEN, NULL); + ZFS_MAX_DATASET_NAME_LEN, NULL); if (error == 0) { name = real; } else if (error != ENOTSUP) { @@ -942,7 +945,8 @@ zfsctl_snapdir_remove(struct inode *dip, char *name, cred_t *cr, int flags) } } - error = zfsctl_snapshot_name(ITOZSB(dip), name, MAXNAMELEN, snapname); + error = zfsctl_snapshot_name(ITOZSB(dip), name, + ZFS_MAX_DATASET_NAME_LEN, snapname); if (error == 0) error = zfs_secpolicy_destroy_perms(snapname, cr); if (error != 0) @@ -952,8 +956,8 @@ zfsctl_snapdir_remove(struct inode *dip, char *name, cred_t *cr, int flags) if ((error == 0) || (error == ENOENT)) error = dsl_destroy_snapshot(snapname, B_FALSE); out: - kmem_free(snapname, MAXNAMELEN); - kmem_free(real, MAXNAMELEN); + kmem_free(snapname, ZFS_MAX_DATASET_NAME_LEN); + kmem_free(real, ZFS_MAX_DATASET_NAME_LEN); ZFS_EXIT(zsb); @@ -975,7 +979,7 @@ zfsctl_snapdir_mkdir(struct inode *dip, char *dirname, vattr_t *vap, if (!zfs_admin_snapshot) return (EACCES); - dsname = kmem_alloc(MAXNAMELEN, KM_SLEEP); + dsname = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); if (zfs_component_namecheck(dirname, NULL, NULL) != 0) { error = SET_ERROR(EILSEQ); @@ -997,7 +1001,7 @@ zfsctl_snapdir_mkdir(struct inode *dip, char *dirname, vattr_t *vap, 0, cr, NULL, NULL); } out: - kmem_free(dsname, MAXNAMELEN); + kmem_free(dsname, ZFS_MAX_DATASET_NAME_LEN); return (error); } @@ -1075,11 +1079,11 @@ zfsctl_snapshot_mount(struct path *path, int flags) zsb = ITOZSB(ip); ZFS_ENTER(zsb); - full_name = kmem_zalloc(MAXNAMELEN, KM_SLEEP); + full_name = kmem_zalloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); full_path = kmem_zalloc(MAXPATHLEN, KM_SLEEP); error = zfsctl_snapshot_name(zsb, dname(dentry), - MAXNAMELEN, full_name); + ZFS_MAX_DATASET_NAME_LEN, full_name); if (error) goto error; @@ -1153,7 +1157,7 @@ zfsctl_snapshot_mount(struct path *path, int flags) } path_put(&spath); error: - kmem_free(full_name, MAXNAMELEN); + kmem_free(full_name, ZFS_MAX_DATASET_NAME_LEN); kmem_free(full_path, MAXPATHLEN); ZFS_EXIT(zsb); |