[patch v2] s390: potential buffer overflow

From: Dan Carpenter
Date: Tue Mar 30 2010 - 12:46:00 EST

Next message: Paul E. McKenney: "Re: [PATCH] NFS: Fix RCU warnings innfs_inode_return_delegation_noreclaim() [ver #2]"
Previous message: Christoph Lameter: "Re: [patch v2] slab: add memory hotplug support"
In reply to: Eric W. Biederman: "Re: [patch] s390: potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"len" hasn't been properly range checked so we shouldn't use it as an
array offset. This can only be written to by root but it would still be
annoying to accidentally write more than 3 characters and corrupt your
memory.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
v2. Removed a superfluous chunk from my first patch. I didn't
understand how ->maxlen worked.

diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c
index f449c69..38a9f55 100644
--- a/drivers/s390/char/sclp_async.c
+++ b/drivers/s390/char/sclp_async.c
@@ -84,7 +84,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
rc = copy_from_user(buf, buffer, sizeof(buf));
if (rc != 0)
return -EFAULT;
- buf[len - 1] = '\0';
+ buf[sizeof(buf) - 1] = '\0';
if (strict_strtoul(buf, 0, &val) != 0)
return -EINVAL;
if (val != 0 && val != 1)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul E. McKenney: "Re: [PATCH] NFS: Fix RCU warnings innfs_inode_return_delegation_noreclaim() [ver #2]"
Previous message: Christoph Lameter: "Re: [patch v2] slab: add memory hotplug support"
In reply to: Eric W. Biederman: "Re: [patch] s390: potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]