On Fri, Apr 05, 2013 at 02:26:35PM -0700, Joe Perches wrote:
> On Fri, 2013-04-05 at 14:02 -0700, Jacob Pan wrote:
> > +static ssize_t store_event_control(struct device *dev,
> > + struct device_attribute *attr,
> > + const char *buf,
> > + size_t size)
> > +{
> > + struct rapl_domain *rd = dev_get_drvdata(dev);
> > + unsigned int efd, new_threshold;
> > + struct file *efile = NULL;
> > + int ret = 0;
> > + int prim;
> > + struct rapl_event *ep;
> > + u64 val;
> > + char cmd[MAX_PRIM_NAME];
> > +
> > + if (sscanf(buf, "%u %s %u", &efd, cmd, &new_threshold) != 3)
> > + return -EINVAL;
>
> This sscanf looks fragile.
>
> buf = "1 some_really_long_name_longer_than_MAX_PRIM_NAME 2"
>
> stack overrun.
>
> Where does buf come from?
It comes from the sysfs core, which limits it to a PAGE_SIZE. But yes,
it does look fragile, and flat out wrong, but I'm not going into that
just yet, as that whole api should just be deleted for now.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe platform-driver-x86" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
