GIT: unionfs2-2.6.27.y: PARISC: led.c - fix potential stack overflow in led_proc_write()
Erez Zadok
ezk at fsl.cs.sunysb.edu
Thu Aug 12 23:15:39 EDT 2010
commit cf32802d7620d7f0e7b1c360cdd5821f2d10a3b0
Author: Helge Deller <deller at gmx.de>
Date: Mon Aug 2 22:46:41 2010 +0200
PARISC: led.c - fix potential stack overflow in led_proc_write()
commit 4b4fd27c0b5ec638a1f06ced9226fd95229dbbf0 upstream.
avoid potential stack overflow by correctly checking count parameter
Reported-by: Ilja <ilja at netric.org>
Signed-off-by: Helge Deller <deller at gmx.de>
Acked-by: Kyle McMartin <kyle at mcmartin.ca>
Cc: James E.J. Bottomley <jejb at parisc-linux.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
index f9b1266..299b4e6 100644
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -182,16 +182,18 @@ static int led_proc_read(char *page, char **start, off_t off, int count,
static int led_proc_write(struct file *file, const char *buf,
unsigned long count, void *data)
{
- char *cur, lbuf[count + 1];
+ char *cur, lbuf[32];
int d;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
- memset(lbuf, 0, count + 1);
+ if (count >= sizeof(lbuf))
+ count = sizeof(lbuf)-1;
if (copy_from_user(lbuf, buf, count))
return -EFAULT;
+ lbuf[count] = 0;
cur = lbuf;
More information about the unionfs-cvs
mailing list