From b500ce8d24d1f14426643da5f6fada28c1f60533 Mon Sep 17 00:00:00 2001
From: "Ahmed S. Darwish" <darwish.07@gmail.com>
Date: Thu, 13 Mar 2008 12:32:34 -0700
Subject: smackfs: do not trust `count' in inodes write()s

Smackfs write() implementation does not put a higher bound on the number of
bytes to copy from user-space.  This may lead to a DOS attack if a malicious
`count' field is given.

Assure that given `count' is exactly the length needed for a /smack/load rule.
 In case of /smack/cipso where the length is relative, assure that `count'
does not exceed the size needed for a buffer representing maximum possible
number of CIPSO 2.2 categories.

Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 security/smack/smack.h | 8 --------
 1 file changed, 8 deletions(-)

(limited to 'security/smack/smack.h')

diff --git a/security/smack/smack.h b/security/smack/smack.h
index a21a0e907ab3..62c1e982849d 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -26,14 +26,6 @@
 #define SMK_MAXLEN	23
 #define SMK_LABELLEN	(SMK_MAXLEN+1)
 
-/*
- * How many kinds of access are there?
- * Here's your answer.
- */
-#define SMK_ACCESSDASH	'-'
-#define SMK_ACCESSLOW	"rwxa"
-#define SMK_ACCESSKINDS	(sizeof(SMK_ACCESSLOW) - 1)
-
 struct superblock_smack {
 	char		*smk_root;
 	char		*smk_floor;
-- 
cgit v1.2.3