PARISC: led.c - fix potential stack overflow in led_proc_write()

avoid potential stack overflow by correctly checking count parameter Reported-by: Ilja <ilja@netric.org> Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Kyle McMartin <kyle@mcmartin.ca> Cc: James E.J. Bottomley <jejb@parisc-linux.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

PARISC: led.c - fix potential stack overflow in led_proc_write()
avoid potential stack overflow by correctly checking count parameter Reported-by: Ilja <ilja@netric.org> Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Kyle McMartin <kyle@mcmartin.ca> Cc: James E.J. Bottomley <jejb@parisc-linux.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Helge Deller · Linus Torvalds
1 parent 9fe6206f40
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
drivers/parisc/led.c
@@ -176,16 +176,18 @@
 	size_t count, loff_t *pos)
 {
 	void *data = PDE(file->f_path.dentry->d_inode)->data;
-	char *cur, lbuf[count + 1];
+	char *cur, lbuf[32];
 	int d;
  
 	if (!capable(CAP_SYS_ADMIN))
 		return -EACCES;
  
-	memset(lbuf, 0, count + 1);
+	if (count >= sizeof(lbuf))
+		count = sizeof(lbuf)-1;
  
 	if (copy_from_user(lbuf, buf, count))
 		return -EFAULT;
+	lbuf[count] = 0;
  
 	cur = lbuf;
...	...	@@ -176,16 +176,18 @@
176	176	size_t count, loff_t *pos)
177	177	{
178	178	void *data = PDE(file->f_path.dentry->d_inode)->data;
179		- char *cur, lbuf[count + 1];
	179	+ char *cur, lbuf[32];
180	180	int d;
181	181
182	182	if (!capable(CAP_SYS_ADMIN))
183	183	return -EACCES;
184	184
185		- memset(lbuf, 0, count + 1);
	185	+ if (count >= sizeof(lbuf))
	186	+ count = sizeof(lbuf)-1;
186	187
187	188	if (copy_from_user(lbuf, buf, count))
188	189	return -EFAULT;
	190	+ lbuf[count] = 0;
189	191
190	192	cur = lbuf;
191	193