security fix

diff --git a/ChangeLog b/ChangeLog
index fe88ba484a02dc293ce381ba4991deb330b5f471..698b3c598c41b38e23d4cdb14d67771e92771ab2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2005-06-02  Miklos Szeredi <miklos@szeredi.hu>
+
+       * Fix serious information leak: if the filesystem returns a short
+       byte count to a read request, and there are non-zero number of
+       pages which are not filled at all, these pages will not be zeroed.
+       Hence the user can read out previous memory contents.  Found by
+       Sven Tantau.
+
 2005-05-27  Miklos Szeredi <miklos@szeredi.hu>
 
        * Add "readdir_ino" mount option, which tries to fill in the d_ino

diff --git a/Filesystems b/Filesystems
index 38e30d7d3a1ae5a3d828cb6fe5702c7b6107761a..4c8fb75cdecf096b32f2d08bd77fb02d78352505 100644 (file)
--- a/Filesystems
+++ b/Filesystems
@@ -283,7 +283,7 @@ Name: SSHFS-FUSE
 
 Author: Miklos Szeredi / miklos at szeredi hu
 
-Homepage: http://sourceforge.net/project/showfiles.php?group_id=121684&package_id=140425
+Homepage: http://fuse.sourceforge.net/sshfs.html
 
 Description:
 

diff --git a/kernel/dev.c b/kernel/dev.c
index 0bad23638a0c567d9e484f0f6d93a216489e8da1..81cc2be1e0735e5eb85fc2d8470a35c955dbfd1a 100644 (file)
--- a/kernel/dev.c
+++ b/kernel/dev.c
@@ -563,7 +563,7 @@ static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
        unsigned offset = req->page_offset;
        unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
 
-       for (i = 0; i < req->num_pages && nbytes; i++) {
+       for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
                struct page *page = req->pages[i];
                int err = fuse_copy_page(cs, page, offset, count, zeroing);
                if (err)