smack: off by one error

commit 3b9fc37280c521b086943f9aedda767f5bf3b2d3 upstream. Consider the input case of a rule that consists entirely of non space symbols followed by a \0. Say 64 + \0 In this case strlen(data) = 64 kzalloc of subject and object are 64 byte objects sscanfdata, "%s %s %s", subject, ...) will put 65 bytes into subject. Signed-off-by: Alan Cox <alan@linux.intel.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Alan Cox <alan@linux.intel.com> 2012-07-26 14:47:11 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-08-09 08:22:36 -0700
commit: 4e9cca830222266bc4d456d0ce7f13a376088e56 (patch)
tree: 8eca15ad9621fd033e2a66e4c892233c5cf2b157 /security/smack
parent: 69f699e6189772036175b3b7d362c82b0d944d4d (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 1810c9a4ed48..cb6d904e3f96 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -325,11 +325,11 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
 	int datalen;
 	int rc = -1;
 
-	/*
-	 * This is probably inefficient, but safe.
-	 */
+	/* This is inefficient */
 	datalen = strlen(data);
-	subject = kzalloc(datalen, GFP_KERNEL);
+
+	/* Our first element can be 64 + \0 with no spaces */
+	subject = kzalloc(datalen + 1, GFP_KERNEL);
 	if (subject == NULL)
 		return -1;
 	object = kzalloc(datalen, GFP_KERNEL);
author	Alan Cox <alan@linux.intel.com>	2012-07-26 14:47:11 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-08-09 08:22:36 -0700
commit	4e9cca830222266bc4d456d0ce7f13a376088e56 (patch)
tree	8eca15ad9621fd033e2a66e4c892233c5cf2b157 /security/smack
parent	69f699e6189772036175b3b7d362c82b0d944d4d (diff)