Re: [PATCH i-g-t rfc 01/29] lib/igt_debugfs: Prevent buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robert Foss schreef op wo 11-01-2017 om 15:41 [-0500]:
> buf array may overflow with when writing '\0' if
> MAX_LINE_LEN bytes are read during read().
How?

char buf[MAX_LINE_LEN + 1];

> Signed-off-by: Robert Foss <robert.foss@xxxxxxxxxxxxx>
> ---
>  lib/igt_debugfs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/igt_debugfs.c b/lib/igt_debugfs.c
> index d828687a..8b8a627a 100644
> --- a/lib/igt_debugfs.c
> +++ b/lib/igt_debugfs.c
> @@ -594,13 +594,15 @@ static int read_crc(igt_pipe_crc_t *pipe_crc,
> igt_crc_t *out)
>  		read_len = MAX_LINE_LEN;
>  
>  	igt_set_timeout(5, "CRC reading");
> -	bytes_read = read(pipe_crc->crc_fd, &buf, read_len);
> +	bytes_read = read(pipe_crc->crc_fd, &buf, read_len - 1);
>  	igt_reset_timeout();
>  
> -	if (bytes_read < 0 && errno == EAGAIN) {
> +	if (bytes_read < 0 && errno == EAGAIN)
>  		igt_assert(pipe_crc->flags & O_NONBLOCK);
> +
> +	if (bytes_read < 0)
>  		bytes_read = 0;
> -	}
> +
>  	buf[bytes_read] = '\0';
>  
>  	if (bytes_read && !pipe_crc_init_from_string(pipe_crc, out,
> buf))
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx




[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux