[RFC][PATCH] drm: fix leak of uninitialized data to userspace #2

From: Vegard Nossum
Date: Tue Nov 11 2008 - 17:16:39 EST

Next message: Andrew Morton: "Re: [PATCH] SYSVIPC - Fix the ipc structures initialization"
Previous message: Eric Dumazet: "Re: [PATCH] Allocate module.ref array dynamically"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

First patch had an additional problem in case snprintf() wanted to
write a string longer than the buffer and returned a large value.
Most likely this would never ever hit, but we can handle it by only
setting the actual length when we _didn't_ try to overflow the
buffer.

Secondly, the snprintf() won't ever write more than the given
number of bytes given, so allocating + 1 bytes isn't ever going to
do anything useful.

Thirdly, we also need to check whether snprintf() returned
>= unique_len. The buffer was also too small if snprintf() returns
== unique_len. snprintf() will always ensure that the result is
properly null-terminated, except in the case where the buffer is
NULL or the buffer size is zero (can never happen here).

It is also a bit suspicious that this function's return value is
never checked, and that we don't free the first allocation if the
second one fails. But maybe it's ok, didn't really check.

I encourage careful review of this patch, as my first attempt was
invalid without me noticing or anybody else saying a thing (or was
that why it was never pushed to mainline?) :-(

(And the original code was obviously in error to begin with.)

Vegard

PS: Feel free to move any/all of this text into commit message if
patch is deemed worthy of inclusion. I just wanted to make the new
info stand out.

Next message: Andrew Morton: "Re: [PATCH] SYSVIPC - Fix the ipc structures initialization"
Previous message: Eric Dumazet: "Re: [PATCH] Allocate module.ref array dynamically"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]