| Message ID | 51C53571.9070403@asianux.com |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
From: Chen Gang <gang.chen@asianux.com> Date: Sat, 22 Jun 2013 13:26:09 +0800 > > For the related next strcpy(), the destination length is less than 512, > but the source maximize length may be 'OPROMMAXPARAM' (4096) which is > more than 512. > > One work flow may: > openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) > getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. > opromsetopt() -> devide the buffer into 'var' and 'value' > of_set_property() -> pass > prom_setprop() -> pass > ldom_set_var() > > And do not mind the additional 4 alignment buffer increasing, since > 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. > > > Signed-off-by: Chen Gang <gang.chen@asianux.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 07/11/2013 04:42 AM, David Miller wrote: > From: Chen Gang <gang.chen@asianux.com> > Date: Sat, 22 Jun 2013 13:26:09 +0800 > >> > >> > For the related next strcpy(), the destination length is less than 512, >> > but the source maximize length may be 'OPROMMAXPARAM' (4096) which is >> > more than 512. >> > >> > One work flow may: >> > openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) >> > getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. >> > opromsetopt() -> devide the buffer into 'var' and 'value' >> > of_set_property() -> pass >> > prom_setprop() -> pass >> > ldom_set_var() >> > >> > And do not mind the additional 4 alignment buffer increasing, since >> > 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. >> > >> > >> > Signed-off-by: Chen Gang <gang.chen@asianux.com> > Applied. > > Thank you for your work, especially you are very busy.
diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c index 5ef48da..11d460f 100644 --- a/arch/sparc/kernel/ds.c +++ b/arch/sparc/kernel/ds.c @@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value) char *base, *p; int msg_len, loops; + if (strlen(var) + strlen(value) + 2 > + sizeof(pkt) - sizeof(pkt.header)) { + printk(KERN_ERR PFX + "contents length: %zu, which more than max: %lu," + "so could not set (%s) variable to (%s).\n", + strlen(var) + strlen(value) + 2, + sizeof(pkt) - sizeof(pkt.header), var, value); + return; + } + memset(&pkt, 0, sizeof(pkt)); pkt.header.data.tag.type = DS_DATA; pkt.header.data.handle = cp->handle;
For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang <gang.chen@asianux.com> --- arch/sparc/kernel/ds.c | 10 ++++++++++ 1 file changed, 10 insertions(+)