PARISC: led.c - fix potential stack overflow in led_proc_write()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

avoid potential stack overflow by correctly checking count parameter

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Kyle McMartin <kyle@mcmartin.ca>
Cc: James E.J. Bottomley <jejb@parisc-linux.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Helge Deller and committed by

Linus Torvalds 15 years ago 4b4fd27c 9fe6206f

+4 -2

1 changed file

expand all

drivers

parisc

led.c

+4 -2

drivers/parisc/led.c

··· 176 176 size_t count, loff_t *pos) 177 177 { 178 178 void *data = PDE(file->f_path.dentry->d_inode)->data; 179 - char *cur, lbuf[count + 1]; 179 + char *cur, lbuf[32]; 180 180 int d; 181 181 182 182 if (!capable(CAP_SYS_ADMIN)) 183 183 return -EACCES; 184 184 185 - memset(lbuf, 0, count + 1); 185 + if (count >= sizeof(lbuf)) 186 + count = sizeof(lbuf)-1; 186 187 187 188 if (copy_from_user(lbuf, buf, count)) 188 189 return -EFAULT; 190 + lbuf[count] = 0; 189 191 190 192 cur = lbuf; 191 193