[merged] cmdline-fix-get_options-overflow-while-parsing-ranges.patch removed from -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Mon, 26 Jun 2017 13:22:46 -0700

The patch titled
     Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges
has been removed from the -mm tree.  Its filename was
     cmdline-fix-get_options-overflow-while-parsing-ranges.patch

This patch was dropped because it was merged into mainline or a subsystem tree

------------------------------------------------------
From: Ilya Matveychikov <matvejchikov@xxxxxxxxx>
Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges

When using get_options() it's possible to specify a range of numbers, like
1-100500.  The problem is that it doesn't track array size while calling
internally to get_range() which iterates over the range and fills the
memory with numbers.

Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@xxxxxxxxx
Signed-off-by: Ilya V. Matveychikov <matvejchikov@xxxxxxxxx>
Cc: Jonathan Corbet <corbet@xxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 lib/cmdline.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff -puN lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges lib/cmdline.c

--- a/lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges
+++ a/lib/cmdline.c
@@ -23,14 +23,14 @@
  *	the values[M, M+1, ..., N] into the ints array in get_options.
  */
 
-static int get_range(char **str, int *pint)
+static int get_range(char **str, int *pint, int n)
 {
 	int x, inc_counter, upper_range;
 
 	(*str)++;
 	upper_range = simple_strtol((*str), NULL, 0);
 	inc_counter = upper_range - *pint;
-	for (x = *pint; x < upper_range; x++)
+	for (x = *pint; n && x < upper_range; x++, n--)
 		*pint++ = x;
 	return inc_counter;
 }
@@ -97,7 +97,7 @@ char *get_options(const char *str, int n
 			break;
 		if (res == 3) {
 			int range_nums;
-			range_nums = get_range((char **)&str, ints + i);
+			range_nums = get_range((char **)&str, ints + i, nints - i);
 			if (range_nums < 0)
 				break;
 			/*
_

Patches currently in -mm which might be from matvejchikov@xxxxxxxxx are


--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






