Hello!
> pci_name_device() (at least in 2.3.99-pre2) overwrites innocent data in struct
> pci_dev if the sum of the lengths of the vendor and device names are longer
> than 47 characters. Examples are:
>
> Digital Equipment Corporation DECchip 21140 [FasterNet]
> Digital Equipment Corporation DECchip 21140 [FasterNet] (#2)
> Acer Laboratories Inc. [ALi] M1533 PCI to ISA Bridge [Aladdin IV]
Probably the simplest thing to do is to add the check to gen-devlist.c.
> Unfortunately the kernel doesn't have snprintf() yet, and updating vsprintf()
> for bounds looks quite clumsy.
Been there, done that :) When hacking on our routing daemon, I've used
kernel printf implementation and hacked it to do bounds checking. Attached.
Have a nice fortnight
-- Martin `MJ' Mares <mj@ucw.cz> <mj@suse.cz> http://atrey.karlin.mff.cuni.cz/~mj/ "Anyone can build a fast CPU. The trick is to build a fast system." -- S. Cray/* * BIRD Library -- Formatted Output * * (c) 1991, 1992 Lars Wirzenius & Linus Torvalds * * Hacked up for BIRD by Martin Mares <mj@ucw.cz> * Buffer size limitation implemented by Martin Mares. */
#include "nest/bird.h" #include "string.h"
#include <errno.h> #include <string.h>
/* we use this so that we can do without the ctype library */ #define is_digit(c) ((c) >= '0' && (c) <= '9')
static int skip_atoi(const char **s) { int i=0;
while (is_digit(**s)) i = i*10 + *((*s)++) - '0'; return i; }
#define ZEROPAD 1 /* pad with zero */ #define SIGN 2 /* unsigned/signed long */ #define PLUS 4 /* show plus */ #define SPACE 8 /* space if plus */ #define LEFT 16 /* left justified */ #define SPECIAL 32 /* 0x */ #define LARGE 64 /* use 'ABCDEF' instead of 'abcdef' */
#define do_div(n,base) ({ \ int __res; \ __res = ((unsigned long) n) % (unsigned) base; \ n = ((unsigned long) n) / (unsigned) base; \ __res; })
static char * number(char * str, long num, int base, int size, int precision, int type, int remains) { char c,sign,tmp[66]; const char *digits="0123456789abcdefghijklmnopqrstuvwxyz"; int i;
if (size >= 0 && (remains -= size) < 0) return NULL; if (type & LARGE) digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; if (type & LEFT) type &= ~ZEROPAD; if (base < 2 || base > 36) return 0; c = (type & ZEROPAD) ? '0' : ' '; sign = 0; if (type & SIGN) { if (num < 0) { sign = '-'; num = -num; size--; } else if (type & PLUS) { sign = '+'; size--; } else if (type & SPACE) { sign = ' '; size--; } } if (type & SPECIAL) { if (base == 16) size -= 2; else if (base == 8) size--; } i = 0; if (num == 0) tmp[i++]='0'; else while (num != 0) tmp[i++] = digits[do_div(num,base)]; if (i > precision) precision = i; size -= precision; if (size < 0 && -size > remains) return NULL; if (!(type&(ZEROPAD+LEFT))) while(size-->0) *str++ = ' '; if (sign) *str++ = sign; if (type & SPECIAL) { if (base==8) *str++ = '0'; else if (base==16) { *str++ = '0'; *str++ = digits[33]; } } if (!(type & LEFT)) while (size-- > 0) *str++ = c; while (i < precision--) *str++ = '0'; while (i-- > 0) *str++ = tmp[i]; while (size-- > 0) *str++ = ' '; return str; }
int bvsnprintf(char *buf, int size, const char *fmt, va_list args) { int len; unsigned long num; int i, base; char *str, *start; const char *s;
int flags; /* flags to number() */
int field_width; /* width of output field */ int precision; /* min. # of digits for integers; max number of chars for from string */ int qualifier; /* 'h', 'l', or 'L' for integer fields */
for (start=str=buf ; *fmt ; ++fmt, size-=(str-start), start=str) { if (*fmt != '%') { if (!size) return -1; *str++ = *fmt; continue; } /* process flags */ flags = 0; repeat: ++fmt; /* this also skips first '%' */ switch (*fmt) { case '-': flags |= LEFT; goto repeat; case '+': flags |= PLUS; goto repeat; case ' ': flags |= SPACE; goto repeat; case '#': flags |= SPECIAL; goto repeat; case '0': flags |= ZEROPAD; goto repeat; } /* get field width */ field_width = -1; if (is_digit(*fmt)) field_width = skip_atoi(&fmt); else if (*fmt == '*') { ++fmt; /* it's the next argument */ field_width = va_arg(args, int); if (field_width < 0) { field_width = -field_width; flags |= LEFT; } }
/* get the precision */ precision = -1; if (*fmt == '.') { ++fmt; if (is_digit(*fmt)) precision = skip_atoi(&fmt); else if (*fmt == '*') { ++fmt; /* it's the next argument */ precision = va_arg(args, int); } if (precision < 0) precision = 0; }
/* get the conversion qualifier */ qualifier = -1; if (*fmt == 'h' || *fmt == 'l' || *fmt == 'L') { qualifier = *fmt; ++fmt; }
/* default base */ base = 10;
if (field_width > size) return -1; switch (*fmt) { case 'c': if (!(flags & LEFT)) while (--field_width > 0) *str++ = ' '; *str++ = (unsigned char) va_arg(args, int); while (--field_width > 0) *str++ = ' '; continue;
case 'm': s = strerror(errno); goto str; case 's': s = va_arg(args, char *); if (!s) s = "<NULL>";
str: len = strlen(s); if (precision >= 0 && len > precision) len = precision; if (len > size) return -1;
if (!(flags & LEFT)) while (len < field_width--) *str++ = ' '; for (i = 0; i < len; ++i) *str++ = *s++; while (len < field_width--) *str++ = ' '; continue;
case 'p': if (field_width == -1) { field_width = 2*sizeof(void *); flags |= ZEROPAD; } str = number(str, (unsigned long) va_arg(args, void *), 16, field_width, precision, flags, size); if (!str) return -1; continue;
case 'n': if (qualifier == 'l') { long * ip = va_arg(args, long *); *ip = (str - buf); } else { int * ip = va_arg(args, int *); *ip = (str - buf); } continue;
/* IP address */ case 'I': if (size < STD_ADDRESS_P_LENGTH) return -1; if (flags & SPECIAL) str = ip_ntox(va_arg(args, ip_addr), str); else { len = ip_ntop(va_arg(args, ip_addr), str) - str; str += len; if (field_width >= 0) while (len++ < STD_ADDRESS_P_LENGTH) *str++ = ' '; } continue;
/* integer number formats - set up the flags and "break" */ case 'o': base = 8; break;
case 'X': flags |= LARGE; case 'x': base = 16; break;
case 'd': case 'i': flags |= SIGN; case 'u': break;
default: if (size < 2) return -1; if (*fmt != '%') *str++ = '%'; if (*fmt) *str++ = *fmt; else --fmt; continue; } if (qualifier == 'l') num = va_arg(args, unsigned long); else if (qualifier == 'h') { num = (unsigned short) va_arg(args, int); if (flags & SIGN) num = (short) num; } else if (flags & SIGN) num = va_arg(args, int); else num = va_arg(args, unsigned int); str = number(str, num, base, field_width, precision, flags, size); if (!str) return -1; } if (!size) return -1; *str = '\0'; return str-buf; }
int bvsprintf(char *buf, const char *fmt, va_list args) { return bvsnprintf(buf, 1000000000, fmt, args); }
int bsprintf(char * buf, const char *fmt, ...) { va_list args; int i;
va_start(args, fmt); i=bvsnprintf(buf, 1000000000, fmt, args); va_end(args); return i; }
int bsnprintf(char * buf, int size, const char *fmt, ...) { va_list args; int i;
va_start(args, fmt); i=bvsnprintf(buf, size, fmt, args); va_end(args); return i; }
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Mar 23 2000 - 21:00:29 EST