pseudofs: Fix a potential out-of-bounds access in pfs_lookup()

pseudofs nodes store their name in a flexible array member, so the node allocation is sized using the length of the name, including a nul terminator. pfs_lookup() scans a directory of nodes, comparing names to find a match. The comparison was incorrect and assumed that all node names were at least as long as the name being looked up, which of course isn't true. I believe the bug is mostly harmless since it cannot result in false positive or negative matches from the lookup, but it triggers a KASAN check. Reported by: pho Reviewed by: kib, Olivier Certner <olce.freebsd@certner.fr> MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D40692
2023-06-23 09:54:39 -04:00 · 2023-06-23 09:54:39 -04:00 · fc915f1be1
commit fc915f1be1
parent 764464af49
1 changed files with 2 additions and 2 deletions
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@ -537,8 +537,8 @@ pfs_lookup(struct vop_cachedlookup_args *va)
 	for (pn = pd->pn_nodes; pn != NULL; pn = pn->pn_next)
 		if (pn->pn_type == pfstype_procdir)
 			pdn = pn;
-		else if (pn->pn_name[namelen] == '\0' &&
-		    bcmp(pname, pn->pn_name, namelen) == 0) {
+		else if (strncmp(pname, pn->pn_name, namelen) == 0 &&
+		    pn->pn_name[namelen] == '\0') {
 			pfs_unlock(pd);
 			goto got_pnode;
 		}