From patchwork Thu Oct 28 06:05:29 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 69437 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 27D04B70CC for ; Thu, 28 Oct 2010 17:05:45 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753972Ab0J1GFl (ORCPT ); Thu, 28 Oct 2010 02:05:41 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:33306 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753436Ab0J1GFk (ORCPT ); Thu, 28 Oct 2010 02:05:40 -0400 Received: by mail-wy0-f174.google.com with SMTP id 28so1546696wyf.19 for ; Wed, 27 Oct 2010 23:05:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=wp7qihzrqeIvVZxBi0Jp9SBPIVzPxuGz1WFBU4kUHlM=; b=HbG0A+MXCtG/fkQP9HK15LqAwJyeI+a6SxY1e3MY3kTEu6HzFFK6kF/WwVUO0gRlmO nE4ub0Xe7yqntACItl9hZZ/zfiXd4sylS6xJ9T1yicpdcJUzfyz8/hMTz7lFKi0lZx8T 4eoW/V6JmzcRjExo52bC4s5IvG++MB/YGstrA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=eut4GtQGDYGP8ithsf7xf8Vm5+SwWpAJZYmxj4nR5RA+PjEHSnayW7/xnZLA+CK0p0 q+IRS4NGobbxUt+ySU9EE9JV+8gwECcUwRXivCCoNGBaK7BOExdahmWbWXKCbXGcnBQn srCZ8bqk8jvnbninYZy5qcJ/kbibtcOIzopHo= Received: by 10.216.231.227 with SMTP id l77mr1809894weq.104.1288245939365; Wed, 27 Oct 2010 23:05:39 -0700 (PDT) Received: from bicker (h2d6a.n1.ips.mtn.co.ug [41.210.173.106]) by mx.google.com with ESMTPS id x15sm408868weq.7.2010.10.27.23.05.35 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 23:05:38 -0700 (PDT) Date: Thu, 28 Oct 2010 08:05:29 +0200 From: Dan Carpenter To: Nelson Elhage Cc: Eric Dumazet , "David S. Miller" , Robert Olsson , Andy Shevchenko , netdev@vger.kernel.org Subject: [patch v3] fix stack overflow in pktgen_if_write() Message-ID: <20101028060529.GX6062@bicker> References: <1288206788-21063-1-git-send-email-nelhage@ksplice.com> <20101027221234.GN6062@bicker> <20101027224302.GQ6062@bicker> <20101027230657.GT16803@ksplice.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20101027230657.GT16803@ksplice.com> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Nelson Elhage says he was able to oops both amd64 and i386 test machines with 8k writes to the pktgen file. Let's just allocate the buffer on the heap instead of on the stack. This can only be triggered by root so there are no security issues here. Reported-by: Nelson Elhage Signed-off-by: Dan Carpenter --- v3: just use kmalloc() -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 2c0df0f..c8d3620 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file, i += len; if (debug) { - char tb[count + 1]; + char *tb; + + tb = kmalloc(count + 1, GFP_KERNEL); + if (!tb) + return -ENOMEM; if (copy_from_user(tb, user_buffer, count)) return -EFAULT; tb[count] = 0; printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name, (unsigned long)count, tb); + kfree(tb); } if (!strcmp(name, "min_pkt_size")) {