From: Miklos Szeredi <miklos@szeredi.hu>
Date: Thu, 2 Jun 2005 09:05:00 +0000 (+0000)
Subject: security fix
X-Git-Tag: fuse_2_3_0~1
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=46960cebc16c926ab025bbbc62a682dd826ad404;p=qemu-gpiodev%2Flibfuse.git

security fix
---

diff --git a/ChangeLog b/ChangeLog
index fe88ba4..698b3c5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2005-06-02  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Fix serious information leak: if the filesystem returns a short
+	byte count to a read request, and there are non-zero number of
+	pages which are not filled at all, these pages will not be zeroed.
+	Hence the user can read out previous memory contents.  Found by
+	Sven Tantau.
+
 2005-05-27  Miklos Szeredi <miklos@szeredi.hu>
 
 	* Add "readdir_ino" mount option, which tries to fill in the d_ino
diff --git a/Filesystems b/Filesystems
index 38e30d7..4c8fb75 100644
--- a/Filesystems
+++ b/Filesystems
@@ -283,7 +283,7 @@ Name: SSHFS-FUSE
 
 Author: Miklos Szeredi / miklos at szeredi hu
 
-Homepage: http://sourceforge.net/project/showfiles.php?group_id=121684&package_id=140425
+Homepage: http://fuse.sourceforge.net/sshfs.html
 
 Description:
 
diff --git a/kernel/dev.c b/kernel/dev.c
index 0bad236..81cc2be 100644
--- a/kernel/dev.c
+++ b/kernel/dev.c
@@ -563,7 +563,7 @@ static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes,
 	unsigned offset = req->page_offset;
 	unsigned count = min(nbytes, (unsigned) PAGE_SIZE - offset);
 
-	for (i = 0; i < req->num_pages && nbytes; i++) {
+	for (i = 0; i < req->num_pages && (nbytes || zeroing); i++) {
 		struct page *page = req->pages[i];
 		int err = fuse_copy_page(cs, page, offset, count, zeroing);
 		if (err)