Fix a stack buffer overflow in the SCSI layer sysfs handling code (store_host_reset()). When a host reset type is read via sscanf in str there is no limit on the length and str is defined as char str[10]. How to reproduce: Given that the sysfs entry exists, execute echo "AAAAAAAAAAAAAAAA" > /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/scsi_host/host0/host_reset Signed-off-by: Nikolay Aleksandrov <nikolay@xxxxxxxxxx> --- drivers/scsi/scsi_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index ce5224c..51826e2 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -267,7 +267,7 @@ store_host_reset(struct device *dev, struct device_attribute *attr, char str[10]; int type; - sscanf(buf, "%s", str); + sscanf(buf, "%9s", str); type = check_reset_type(str); if (!type) -- 1.7.11.4 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
