Menu
▾
▴
[uml-devel] [patch] uml: check length in exitcode_proc_write()
|
From: Dan C. <dan...@or...> - 2013-10-29 19:09:35
|
We don't cap the size of buffer from the user so we could write past
the end of the array here. Only root can write to this file.
Reported-by: Nico Golde <ni...@ng...>
Reported-by: Fabian Yamaguchi <fa...@go...>
Signed-off-by: Dan Carpenter <dan...@or...>
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 829df49..41ebbfe 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char *end, buf[sizeof("nnnnn\0")];
+ size_t size;
int tmp;
- if (copy_from_user(buf, buffer, count))
+ size = min(count, sizeof(buf));
+ if (copy_from_user(buf, buffer, size))
return -EFAULT;
tmp = simple_strtol(buf, &end, 0);
|