Commit 4b4fd27c0b5ec638a1f06ced9226fd95229dbbf0
Committed by
Linus Torvalds
1 parent
9fe6206f40
Exists in
master
and in
4 other branches
PARISC: led.c - fix potential stack overflow in led_proc_write()
avoid potential stack overflow by correctly checking count parameter Reported-by: Ilja <ilja@netric.org> Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Kyle McMartin <kyle@mcmartin.ca> Cc: James E.J. Bottomley <jejb@parisc-linux.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
drivers/parisc/led.c
... | ... | @@ -176,16 +176,18 @@ |
176 | 176 | size_t count, loff_t *pos) |
177 | 177 | { |
178 | 178 | void *data = PDE(file->f_path.dentry->d_inode)->data; |
179 | - char *cur, lbuf[count + 1]; | |
179 | + char *cur, lbuf[32]; | |
180 | 180 | int d; |
181 | 181 | |
182 | 182 | if (!capable(CAP_SYS_ADMIN)) |
183 | 183 | return -EACCES; |
184 | 184 | |
185 | - memset(lbuf, 0, count + 1); | |
185 | + if (count >= sizeof(lbuf)) | |
186 | + count = sizeof(lbuf)-1; | |
186 | 187 | |
187 | 188 | if (copy_from_user(lbuf, buf, count)) |
188 | 189 | return -EFAULT; |
190 | + lbuf[count] = 0; | |
189 | 191 | |
190 | 192 | cur = lbuf; |
191 | 193 |