The patch titled
Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges
has been removed from the -mm tree. Its filename was
cmdline-fix-get_options-overflow-while-parsing-ranges.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Ilya Matveychikov <matvejchikov@xxxxxxxxx>
Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges
When using get_options() it's possible to specify a range of numbers, like
1-100500. The problem is that it doesn't track array size while calling
internally to get_range() which iterates over the range and fills the
memory with numbers.
Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@xxxxxxxxx
Signed-off-by: Ilya V. Matveychikov <matvejchikov@xxxxxxxxx>
Cc: Jonathan Corbet <corbet@xxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/cmdline.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff -puN lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges lib/cmdline.c
--- a/lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges
+++ a/lib/cmdline.c
@@ -23,14 +23,14 @@
* the values[M, M+1, ..., N] into the ints array in get_options.
*/
-static int get_range(char **str, int *pint)
+static int get_range(char **str, int *pint, int n)
{
int x, inc_counter, upper_range;
(*str)++;
upper_range = simple_strtol((*str), NULL, 0);
inc_counter = upper_range - *pint;
- for (x = *pint; x < upper_range; x++)
+ for (x = *pint; n && x < upper_range; x++, n--)
*pint++ = x;
return inc_counter;
}
@@ -97,7 +97,7 @@ char *get_options(const char *str, int n
break;
if (res == 3) {
int range_nums;
- range_nums = get_range((char **)&str, ints + i);
+ range_nums = get_range((char **)&str, ints + i, nints - i);
if (range_nums < 0)
break;
/*
_
Patches currently in -mm which might be from matvejchikov@xxxxxxxxx are