From 71fc6636ff1e2554cc55185c25296dc9e8e804ca Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Fri, 14 Mar 2025 12:03:09 +0900 Subject: [PATCH] ceph: validate snapdirname option length when mounting BugLink: https://bugs.launchpad.net/bugs/2102266 commit 12eb22a5a609421b380c3c6ca887474fb2089b2c upstream. It becomes a path component, so it shouldn't exceed NAME_MAX characters. This was hardened in commit c152737be22b ("ceph: Use strscpy() instead of strcpy() in __get_snap_name()"), but no actual check was put in place. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Alex Markuze Signed-off-by: Greg Kroah-Hartman Signed-off-by: Koichiro Den Signed-off-by: Mehmet Basaran --- fs/ceph/super.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ceph/super.c b/fs/ceph/super.c index b5c4ffc975d7..a3f951b2446c 100644 --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -430,6 +430,8 @@ static int ceph_parse_mount_param(struct fs_context *fc, switch (token) { case Opt_snapdirname: + if (strlen(param->string) > NAME_MAX) + return invalfc(fc, "snapdirname too long"); kfree(fsopt->snapdir_name); fsopt->snapdir_name = param->string; param->string = NULL;