On Tue, Oct 21, 2014 at 04:46:58PM +0200, Matej Mužila wrote: > From: Matej Mužila <mmuzila@xxxxxxxxxx> > > Check if cpmsg->size is in limits of DATA_FRAGMENT > > Signed-off-by: Matej Mužila <mmuzila@xxxxxxxxxx> > --- > > If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can > read from memory outside of the buffer (defined at line 138). > Added check. > > Changes made since v1: > * max value of cmesg->size is now derived from structure > definition in sources/include/uapi/linux/hyperv.h > * Fixed comments > > > diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c > index 6f27e2f..1fc2dc2 100644 > --- a/tools/hv/hv_fcopy_daemon.c > +++ b/tools/hv/hv_fcopy_daemon.c > @@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg) > { > ssize_t bytes_written; > > + /* Check if the cpmsg->size is in limits of DATA_FRAGMENT */ > + if (cpmsg->size > sizeof(cpmsg->data)) > + return HV_E_FAIL; > + > bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size, > cpmsg->offset); > ALWAYS run your patches through checkpatch before sending them, so you don't get grumpy emails from maintainers telling you to do the same thing... Please fix this up and resend the whole series. thanks, greg k-h _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel