ceph: validate snapdirname option length when mounting

It becomes a path component, so it shouldn't exceed NAME_MAX
characters.  This was hardened in commit c152737be22b ("ceph: Use
strscpy() instead of strcpy() in __get_snap_name()"), but no actual
check was put in place.

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>

diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index de03cd6eb86ee41cb521f83f6110467f9a8e0eeb..4344e1f118069ae54b5c23b0c778faf19d04d25e 100644 (file)
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -431,6 +431,8 @@ static int ceph_parse_mount_param(struct fs_context *fc,
 
        switch (token) {
        case Opt_snapdirname:
+               if (strlen(param->string) > NAME_MAX)
+                       return invalfc(fc, "snapdirname too long");
                kfree(fsopt->snapdir_name);
                fsopt->snapdir_name = param->string;
                param->string = NULL;