Re: [patch] netrom: check that user string is terminated
From: walter harms <hidden>
Date: 2011-11-23 08:22:16
Also in:
kernel-janitors, linux-hams
Am 23.11.2011 07:52, schrieb Dan Carpenter:
quoted hunk ↗ jump to hunk
We do an strcpy() of mnemonic in nr_add_node(). Signed-off-by: Dan Carpenter <redacted>diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index 915a87b..e126c48 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c@@ -670,6 +670,8 @@ int nr_rt_ioctl(unsigned int cmd, void __user *arg) case SIOCADDRT: if (copy_from_user(&nr_route, arg, sizeof(struct nr_route_struct))) return -EFAULT; + if (strlen(nr_route.mnemonic) >= sizeof(nr_route.mnemonic)) + return -EINVAL;
I am not sure that it does what you intends. mnemonic is an array and a malicious use may fill it upto the last char causing strlen go beyond. perhaps this may help: nr_route.mnemonic[sizeof(nr_route.mnemonic)-1]=0; this of cause makes the if() redundant.
if ((dev = nr_ax25_dev_get(nr_route.device)) == NULL) return -EINVAL;
while you are here: dev = nr_ax25_dev_get(nr_route.device); if ( dev == NULL ) return -EINVAL;
if (nr_route.ndigis < 0 || nr_route.ndigis > AX25_MAX_DIGIS) {if guess "nr_route.ndigis >= AX25_MAX_DIGIS" is intended ? hope that helps, wh
-- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html