xfs: check attribute name validity

Check extended attribute entry names for invalid characters.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>

diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
index 844ed87..2dd9ee2 100644 (file)
--- a/fs/xfs/libxfs/xfs_attr.c
+++ b/fs/xfs/libxfs/xfs_attr.c
@@ -1336,3 +1336,20 @@ xfs_attr_node_get(xfs_da_args_t *args)
        xfs_da_state_free(state);
        return retval;
 }
+
+/* Returns true if the attribute entry name is valid. */
+bool
+xfs_attr_namecheck(
+       const void      *name,
+       size_t          length)
+{
+       /*
+        * MAXNAMELEN includes the trailing null, but (name/length) leave it
+        * out, so use >= for the length check.
+        */
+       if (length >= MAXNAMELEN)
+               return false;
+
+       /* There shouldn't be any nulls here */
+       return !memchr(name, 0, length);
+}

diff --git a/fs/xfs/libxfs/xfs_attr.h b/fs/xfs/libxfs/xfs_attr.h
index bdf52a3..2297d84 100644 (file)
--- a/fs/xfs/libxfs/xfs_attr.h
+++ b/fs/xfs/libxfs/xfs_attr.h
@@ -145,6 +145,6 @@ int xfs_attr_remove(struct xfs_inode *dp, const unsigned char *name, int flags);
 int xfs_attr_remove_args(struct xfs_da_args *args);
 int xfs_attr_list(struct xfs_inode *dp, char *buffer, int bufsize,
                  int flags, struct attrlist_cursor_kern *cursor);
-
+bool xfs_attr_namecheck(const void *name, size_t length);
 
 #endif /* __XFS_ATTR_H__ */

diff --git a/fs/xfs/scrub/attr.c b/fs/xfs/scrub/attr.c
index 9960bc5..dce74ec 100644 (file)
--- a/fs/xfs/scrub/attr.c
+++ b/fs/xfs/scrub/attr.c
@@ -93,6 +93,12 @@ xchk_xattr_listent(
                return;
        }
 
+       /* Does this name make sense? */
+       if (!xfs_attr_namecheck(name, namelen)) {
+               xchk_fblock_set_corrupt(sx->sc, XFS_ATTR_FORK, args.blkno);
+               return;
+       }
+
        args.flags = ATTR_KERNOTIME;
        if (flags & XFS_ATTR_ROOT)
                args.flags |= ATTR_ROOT;