The patch titled Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges has been added to the -mm tree. Its filename is cmdline-fix-get_options-overflow-while-parsing-ranges.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/cmdline-fix-get_options-overflow-while-parsing-ranges.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/cmdline-fix-get_options-overflow-while-parsing-ranges.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ilya Matveychikov <matvejchikov@xxxxxxxxx> Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@xxxxxxxxx Signed-off-by: Ilya V. Matveychikov <matvejchikov@xxxxxxxxx> Cc: Jonathan Corbet <corbet@xxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/cmdline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff -puN lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges lib/cmdline.c --- a/lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges +++ a/lib/cmdline.c @@ -23,14 +23,14 @@ * the values[M, M+1, ..., N] into the ints array in get_options. */ -static int get_range(char **str, int *pint) +static int get_range(char **str, int *pint, int n) { int x, inc_counter, upper_range; (*str)++; upper_range = simple_strtol((*str), NULL, 0); inc_counter = upper_range - *pint; - for (x = *pint; x < upper_range; x++) + for (x = *pint; n && x < upper_range; x++, n--) *pint++ = x; return inc_counter; } @@ -97,7 +97,7 @@ char *get_options(const char *str, int n break; if (res == 3) { int range_nums; - range_nums = get_range((char **)&str, ints + i); + range_nums = get_range((char **)&str, ints + i, nints - i); if (range_nums < 0) break; /* _ Patches currently in -mm which might be from matvejchikov@xxxxxxxxx are cmdline-fix-get_options-overflow-while-parsing-ranges.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html