From patchwork Fri May 17 09:13:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Gang X-Patchwork-Id: 244545 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id F33C72C007A for ; Fri, 17 May 2013 19:14:08 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753332Ab3EQJOE (ORCPT ); Fri, 17 May 2013 05:14:04 -0400 Received: from intranet.asianux.com ([58.214.24.6]:46157 "EHLO intranet.asianux.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751449Ab3EQJOD (ORCPT ); Fri, 17 May 2013 05:14:03 -0400 Received: by intranet.asianux.com (Postfix, from userid 103) id 07385184024F; Fri, 17 May 2013 17:13:57 +0800 (CST) X-Spam-Score: -100.8 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on intranet.asianux.com X-Spam-Level: X-Spam-Status: No, score=-100.8 required=5.0 tests=AWL,BAYES_00, RATWARE_GECKO_BUILD,USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from [10.1.0.143] (unknown [219.143.36.82]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by intranet.asianux.com (Postfix) with ESMTP id C39B6184024F; Fri, 17 May 2013 17:13:53 +0800 (CST) Message-ID: <5195F4A0.3000708@asianux.com> Date: Fri, 17 May 2013 17:13:04 +0800 From: Chen Gang User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 MIME-Version: 1.0 To: samuel@sortiz.org CC: David Miller , netdev Subject: [PATCH] net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang --- net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c index 8c00416..9ea0c93 100644 --- a/net/irda/irlap_frame.c +++ b/net/irda/irlap_frame.c @@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self, /* * We now have some discovery info to deliver! */ - discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC); + discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC); if (!discovery) { IRDA_WARNING("%s: unable to malloc!\n", __func__); return;