On Thu, Jul 10, 2014 at 02:45:12PM -0400, Erik Arfvidson wrote:
> + str_pos += snprintf(vbuf + str_pos, len - str_pos, "\n");
> + if (copy_to_user(buf, vbuf, str_pos)) {
The length checking here still isn't correct. snprintf() returns the
number of bytes which would have been printed if there were space
available, so "str_pos" could be larger than "len". So we have fixed
the problem of corruption kernel memory but it still corrupts user
memory.
I think it all works correctly if you use scnprintf() instead of
snprintf() but think it through because I'm not positive.
> + kfree(vbuf);
> + return -EFAULT;
> + }
> +
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
