Re: [PATCH] sunrpc - fixup userspace buffer possible overrun v2
From: Ingo Oeser
Date: Sun Aug 31 2008 - 10:24:23 EST
Hi Cyrill,
On Sunday 31 August 2008, Cyrill Gorcunov wrote:
> The conclusion is that proc_do_xprt doesn't check for userside buffer
> size indeed so fix. Also set lenp to number of bytes were really written.
Why not use simple_read_from_buffer() for the read case and
keep the -EINVAL for the write case.
> Reported-by: Vegard Nossum <vegard.nossum@xxxxxxxxx>
> Signed-off-by: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
> CC: David Wagner <daw@xxxxxxxxxxxxxxx>
> ---
>
> Please review.
>
> Index: linux-2.6.git/net/sunrpc/sysctl.c
> ===================================================================
> --- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-08-31 13:43:46.000000000 +0400
> +++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-31 13:58:14.000000000 +0400
> @@ -60,23 +60,26 @@ static int proc_do_xprt(ctl_table *table
> void __user *buffer, size_t *lenp, loff_t *ppos)
> {
> char tmpbuf[256];
> - int len;
> + size_t len;
> +
+ ssize_t ret;
> if ((*ppos && !write) || !*lenp) {
> *lenp = 0;
> return 0;
> }
> +
> if (write)
> return -EINVAL;
len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
ret = simple_read_from_buffer(buffer, ppos, tmpbuf, len);
if (ret >= 0) {
*lenp = ret;
ret = 0;
}
return ret;
}
Best Regards
Ingo Oeser
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/