[PATCH] Buffer overflow in fs/devpts/root.c

Jamie Lokier (lkd@tantalophile.demon.co.uk)
Wed, 30 Sep 1998 15:43:03 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Edward Welbon: "Re: PCI_LATENCY_TIMER"
Previous message: Jamie Lokier: "Re: BogoMIPS"

I haven't tested this, but it should be self explanatory.
I don't even use devpts, I just spotted this while reading.

If you look up a name like /dev/pts/9999 it'd get messy.
If you look up /dev/pts/4294967296, it'd be accepted and a dentry
kept for it. That's silly.

-- Jamie

--- /usr/src/linux/fs/devpts/root.c Wed Aug 26 19:18:54 1998
+++ /tmp/root.c Wed Sep 30 15:39:35 1998
@@ -152,12 +152,16 @@
if ( *p < '1' || *p > '9' )
return 0;
entry = *p++ - '0';
+ if ( entry >= sbi->max_ptys )
+ return 0;

for ( i = dentry->d_name.len-1 ; i ; i-- ) {
if ( *p < '0' || *p > '9' )
return 0;
entry *= 10;
entry += (*p++ - '0');
+ if ( entry >= sbi->max_ptys )
+ return 0;
}
}

----- end of patch -----

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Edward Welbon: "Re: PCI_LATENCY_TIMER"
Previous message: Jamie Lokier: "Re: BogoMIPS"