Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface

From: Kevin Corry (corryk@us.ibm.com)
Date: Thu Feb 27 2003 - 09:20:59 EST

On Wednesday 26 February 2003 15:04, Horst von Brand wrote:
> Joe Thornber <joe@fib011235813.fsnet.co.uk> said:
> > Use the correct size for "name" in register_with_devfs().
> >
> > During Al Viro's devfs cleanup a few versions ago, this function was
> > rewritten, and the "name" string added. The 32-byte size is not large
> > enough to prevent a possible buffer overflow in the sprintf() call,
> > since the hash cell can have a name up to 128 characters.
> >
> > [Kevin Corry]
> >
> > --- diff/drivers/md/dm-ioctl.c 2003-02-26 16:09:42.000000000 +0000
> > +++ source/drivers/md/dm-ioctl.c 2003-02-26 16:09:52.000000000 +0000
> > @@ -173,7 +173,7 @@
> > */
> > static int register_with_devfs(struct hash_cell *hc)
> > {
> > - char name[32];
> > + char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
>
> This either makes a large name array or generates a possibly huge array at
> runtime (bad if your stack is < 8KiB).

Would this be better? 

-- 
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/

--- linux-2.5.60a/drivers/md/dm-ioctl.c	2003/02/13 16:43:26
+++ linux-2.5.60b/drivers/md/dm-ioctl.c	2003/02/27 14:17:00
@@ -173,8 +173,11 @@
  */
 static int register_with_devfs(struct hash_cell *hc)
 {
-	char name[DM_NAME_LEN + strlen(DM_DIR) + 1];
 	struct gendisk *disk = dm_disk(hc->md);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	if (!name) {
+		return -ENOMEM;
+	}
 
 	sprintf(name, DM_DIR "/%s", hc->name);
 	devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Fri Feb 28 2003 - 22:00:43 EST