smack: off by one error Consider the input case of a rule that consists entirely of non space symbols followed by a \0. Say 64 + \0 In this case strlen(data) = 64 kzalloc of subject and object are 64 byte objects sscanfdata, "%s %s %s", subject, ...) will put 65 bytes into subject. Signed-off-by: Alan Cox <alan@linux.intel.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com>

commit: 3b9fc37280c521b086943f9aedda767f5bf3b2d3 [log] [tgz]
author: Alan Cox <alan@linux.intel.com> Thu Jul 26 14:47:11 2012 -0700
committer: James Morris <james.l.morris@oracle.com> Mon Jul 30 15:04:17 2012 +1000
tree: c76cc02753da4df5d11e516d8e9373e5f0426b24
parent: f7da9cdf45cbbad5029d4858dcbc0134e06084ed [diff] [blame]
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index d31e6d9..b1b768e 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c

@@ -323,11 +323,11 @@
 	int datalen;
 	int rc = -1;
 
-	/*
-	 * This is probably inefficient, but safe.
-	 */
+	/* This is inefficient */
 	datalen = strlen(data);
-	subject = kzalloc(datalen, GFP_KERNEL);
+
+	/* Our first element can be 64 + \0 with no spaces */
+	subject = kzalloc(datalen + 1, GFP_KERNEL);
 	if (subject == NULL)
 		return -1;
 	object = kzalloc(datalen, GFP_KERNEL);
commit	3b9fc37280c521b086943f9aedda767f5bf3b2d3	[log] [tgz]
author	Alan Cox <alan@linux.intel.com>	Thu Jul 26 14:47:11 2012 -0700
committer	James Morris <james.l.morris@oracle.com>	Mon Jul 30 15:04:17 2012 +1000
tree	c76cc02753da4df5d11e516d8e9373e5f0426b24
parent	f7da9cdf45cbbad5029d4858dcbc0134e06084ed [diff] [blame]