Thread (20 messages) 20 messages, 6 authors, 2010-11-01

Re: [patch] fix stack overflow in pktgen_if_write()

From: Dan Carpenter <hidden>
Date: 2010-10-27 22:41:10

On Thu, Oct 28, 2010 at 12:12:35AM +0200, Dan Carpenter wrote:
-		char tb[count + 1];
-		if (copy_from_user(tb, user_buffer, count))
-			return -EFAULT;
-		tb[count] = 0;
+		char *tb;
+
+		tb = strndup_user(user_buffer, count + 1);
Crap...  This should be memdup_user().

Sorry about that.  I'll send v2.

regards,
dan carpenter
+		if (IS_ERR(tb))
+			return PTR_ERR(tb);
 		printk(KERN_DEBUG "pktgen: %s,%lu  buffer -:%s:-\n", name,
 		       (unsigned long)count, tb);
+		kfree(tb);
 	}
 
 	if (!strcmp(name, "min_pkt_size")) {
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help