Am 23.11.2011 07:52, schrieb Dan Carpenter: > We do an strcpy() of mnemonic in nr_add_node(). > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c > index 915a87b..e126c48 100644 > --- a/net/netrom/nr_route.c > +++ b/net/netrom/nr_route.c > @@ -670,6 +670,8 @@ int nr_rt_ioctl(unsigned int cmd, void __user *arg) > case SIOCADDRT: > if (copy_from_user(&nr_route, arg, sizeof(struct nr_route_struct))) > return -EFAULT; > + if (strlen(nr_route.mnemonic) >= sizeof(nr_route.mnemonic)) > + return -EINVAL; I am not sure that it does what you intends. mnemonic is an array and a malicious use may fill it upto the last char causing strlen go beyond. perhaps this may help: nr_route.mnemonic[sizeof(nr_route.mnemonic)-1]=0; this of cause makes the if() redundant. > if ((dev = nr_ax25_dev_get(nr_route.device)) == NULL) > return -EINVAL; while you are here: dev = nr_ax25_dev_get(nr_route.device); if ( dev == NULL ) return -EINVAL; > if (nr_route.ndigis < 0 || nr_route.ndigis > AX25_MAX_DIGIS) { if guess "nr_route.ndigis >= AX25_MAX_DIGIS" is intended ? hope that helps, wh > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html