Re: [PATCH] sunrpc - fixup userspace buffer possible overrun v2
From: Cyrill Gorcunov
Date: Sun Aug 31 2008 - 10:41:46 EST
[Ingo Oeser - Sun, Aug 31, 2008 at 04:09:10PM +0200]
| Hi Cyrill,
|
| On Sunday 31 August 2008, Cyrill Gorcunov wrote:
| > The conclusion is that proc_do_xprt doesn't check for userside buffer
| > size indeed so fix. Also set lenp to number of bytes were really written.
|
| Why not use simple_read_from_buffer() for the read case and
| keep the -EINVAL for the write case.
Ah, thanks Ingo - good idea. Btw does libfs.c depends
on anything?
|
| > Reported-by: Vegard Nossum <vegard.nossum@xxxxxxxxx>
| > Signed-off-by: Cyrill Gorcunov <gorcunov@xxxxxxxxx>
| > CC: David Wagner <daw@xxxxxxxxxxxxxxx>
| > ---
| >
| > Please review.
| >
| > Index: linux-2.6.git/net/sunrpc/sysctl.c
| > ===================================================================
| > --- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-08-31 13:43:46.000000000 +0400
| > +++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-31 13:58:14.000000000 +0400
| > @@ -60,23 +60,26 @@ static int proc_do_xprt(ctl_table *table
| > void __user *buffer, size_t *lenp, loff_t *ppos)
| > {
| > char tmpbuf[256];
| > - int len;
| > + size_t len;
| > +
| + ssize_t ret;
| > if ((*ppos && !write) || !*lenp) {
| > *lenp = 0;
| > return 0;
| > }
| > +
| > if (write)
| > return -EINVAL;
|
| len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
| ret = simple_read_from_buffer(buffer, ppos, tmpbuf, len);
| if (ret >= 0) {
| *lenp = ret;
| ret = 0;
| }
|
| return ret;
| }
|
|
| Best Regards
|
| Ingo Oeser
|
- Cyrill -
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/