On 03/07/2014 10:02 AM, Greg KH wrote:
On Fri, Mar 07, 2014 at 07:10:57AM -0600, Ken Cox wrote:A character array was declared on the stack with variable length. This has been corrected to use a fixed length. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Ken Cox <jkc@xxxxxxxxxx> --- drivers/staging/unisys/virthba/virthba.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/staging/unisys/virthba/virthba.c b/drivers/staging/unisys/virthba/virthba.c index c292293..3820c57 100644 --- a/drivers/staging/unisys/virthba/virthba.c +++ b/drivers/staging/unisys/virthba/virthba.c @@ -1439,12 +1439,17 @@ static ssize_t enable_ints_write(struct file *file, const char __user *buffer, size_t count, loff_t *ppos) { - char buf[count + 1]; + char buf[4]; int i, new_value; struct virthba_info *virthbainfo; U64 *Features_addr; U64 mask;+ if (count > 2) {+ LOGERR("invalid count<<%lu>>\n", count);Nice, a simple way to DoS the syslog from any user :) Don't even log this, you are going to be ripping all of those macros out eventually, so don't add new ones...
Good point. Revised patch coming. _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
