Search Linux Wireless

Re: [PATCH 4.17] bcma: fix buffer size caused crash in bcma_core_mips_print_irq()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2018-05-08 at 11:31 +0200, Rafał Miłecki wrote:
> From: Rafał Miłecki <rafal@xxxxxxxxxx>
> 
> Used buffer wasn't big enough to hold whole strings. Example output of
> this function is:
> [    0.180892] bcma: bus0: core 0x0800, irq: 2(S)* 3  4  5  6  D  I
> [    0.180948] bcma: bus0: core 0x0812, irq: 2(S)  3* 4  5  6  D  I
> [    0.180998] bcma: bus0: core 0x082d, irq: 2(S)  3  4* 5  6  D  I
> [    0.181046] bcma: bus0: core 0x082c, irq: 2(S)  3  4  5  6  D  I*
> which means we need to store up to 24 chars.
> 
> Fixes: 758f7e06063a8 ("bcma: Use bcma_debug and not pr_cont in MIPS driver")
> Signed-off-by: Rafał Miłecki <rafal@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # v4.15+

Oops.  Apologies for not counting properly.

> ---
>  drivers/bcma/driver_mips.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/bcma/driver_mips.c b/drivers/bcma/driver_mips.c
> index f040aba48d50..27e9686b6d3a 100644
> --- a/drivers/bcma/driver_mips.c
> +++ b/drivers/bcma/driver_mips.c
> @@ -184,7 +184,7 @@ static void bcma_core_mips_print_irq(struct bcma_device *dev, unsigned int irq)
>  {
>  	int i;
>  	static const char *irq_name[] = {"2(S)", "3", "4", "5", "6", "D", "I"};
> -	char interrupts[20];
> +	char interrupts[25];
>  	char *ints = interrupts;
>  
>  	for (i = 0; i < ARRAY_SIZE(irq_name); i++)



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux