ceph: validate snapdirname option length when mounting

It becomes a path component, so it shouldn't exceed NAME_MAX characters. This was hardened in commit c152737be22b ("ceph: Use strscpy() instead of strcpy() in __get_snap_name()"), but no actual check was put in place. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Alex Markuze <amarkuze@redhat.com>
author: Ilya Dryomov <idryomov@gmail.com> 2024-11-20 16:43:51 +0100
committer: Ilya Dryomov <idryomov@gmail.com> 2024-12-16 23:25:43 +0100
commit: 12eb22a5a609421b380c3c6ca887474fb2089b2c (patch)
tree: d6138d69ce7665d846a0a2e9a4d3e13023a38e67
parent: 550f7ca98ee028a606aa75705a7e77b1bd11720f (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index de03cd6eb86e..4344e1f11806 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -431,6 +431,8 @@ static int ceph_parse_mount_param(struct fs_context *fc,
 
 	switch (token) {
 	case Opt_snapdirname:
+		if (strlen(param->string) > NAME_MAX)
+			return invalfc(fc, "snapdirname too long");
 		kfree(fsopt->snapdir_name);
 		fsopt->snapdir_name = param->string;
 		param->string = NULL;
author	Ilya Dryomov <idryomov@gmail.com>	2024-11-20 16:43:51 +0100
committer	Ilya Dryomov <idryomov@gmail.com>	2024-12-16 23:25:43 +0100
commit	12eb22a5a609421b380c3c6ca887474fb2089b2c (patch)
tree	d6138d69ce7665d846a0a2e9a4d3e13023a38e67
parent	550f7ca98ee028a606aa75705a7e77b1bd11720f (diff)