On Thu, Feb 18, 2016 at 06:55:54PM +0000, Stefan Hajnoczi wrote:
> The qword_get() function NUL-terminates its output buffer. If the input
> string is in hex format \xXXXX... and the same length as the output
> buffer, there is an off-by-one:
Thanks, I'll pass this along to Linus soon, for 4.5 and stable.
--b.
>
> int qword_get(char **bpp, char *dest, int bufsize)
> {
> ...
> while (len < bufsize) {
> ...
> *dest++ = (h << 4) | l;
> len++;
> }
> ...
> *dest = '\0';
> return len;
> }
>
> This patch ensures the NUL terminator doesn't fall outside the output
> buffer.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
> ---
> net/sunrpc/cache.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index 2b32fd6..273bc3a 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
> if (bp[0] == '\\' && bp[1] == 'x') {
> /* HEX STRING */
> bp += 2;
> - while (len < bufsize) {
> + while (len < bufsize - 1) {
> int h, l;
>
> h = hex_to_bin(bp[0]);
> --
> 2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
