The patch titled Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges has been removed from the -mm tree. Its filename was cmdline-fix-get_options-overflow-while-parsing-ranges.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Ilya Matveychikov <matvejchikov@xxxxxxxxx> Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@xxxxxxxxx Signed-off-by: Ilya V. Matveychikov <matvejchikov@xxxxxxxxx> Cc: Jonathan Corbet <corbet@xxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/cmdline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff -puN lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges lib/cmdline.c --- a/lib/cmdline.c~cmdline-fix-get_options-overflow-while-parsing-ranges +++ a/lib/cmdline.c @@ -23,14 +23,14 @@ * the values[M, M+1, ..., N] into the ints array in get_options. */ -static int get_range(char **str, int *pint) +static int get_range(char **str, int *pint, int n) { int x, inc_counter, upper_range; (*str)++; upper_range = simple_strtol((*str), NULL, 0); inc_counter = upper_range - *pint; - for (x = *pint; x < upper_range; x++) + for (x = *pint; n && x < upper_range; x++, n--) *pint++ = x; return inc_counter; } @@ -97,7 +97,7 @@ char *get_options(const char *str, int n break; if (res == 3) { int range_nums; - range_nums = get_range((char **)&str, ints + i); + range_nums = get_range((char **)&str, ints + i, nints - i); if (range_nums < 0) break; /* _ Patches currently in -mm which might be from matvejchikov@xxxxxxxxx are