AW: buffer overflow in srm_env_write?!
Heid Oliver
oliver.heid at siemens.com
Thu Mar 17 14:46:11 UTC 2005
I think we don't want a newline being written to SRM NVRAM, and we may need
to add one when reading NVRAM contents. And is there not even more to fix in
srm_env.c?! I have the feeling that srm_env_read() should assign some values
to its parameters *start and eof, as other similar /proc filesystem read
handlers do. Just take a look e.g. at tty_ldiscs_read_proc() in
fs/proc/proc_tty.c ..
Oliver
-----Ursprüngliche Nachricht-----
Von: Michal Jaegermann [mailto:michal at ellpspace.math.ualberta.ca]
Gesendet: Monday, March 14, 2005 21:47
An: Linux and Red Hat on Alpha processors
Betreff: Re: buffer overflow in srm_env_write?!
On Mon, Mar 14, 2005 at 08:15:44PM +0100, Falk Hueffner wrote:
> Heid Oliver <oliver.heid at siemens.com> writes:
>
> > here it is.
> >
> > --- arch/alpha/kernel/srm_env.c~ 2005-03-02 08:37:49.000000000 +0100
> > +++ arch/alpha/kernel/srm_env.c 2005-03-14 17:00:48.000000000 +0100
> > @@ -152,7 +152,7 @@
> > res = -EFAULT;
> > if (copy_from_user(buf, buffer, count))
> > goto out;
> > - buf[count] = '\0';
> > + buf[count-1] = '\0';
> >
> > ret1 = callback_setenv(entry->id, buf, count);
> > if ((ret1 >> 61) == 0) {
> > ---
>
> That will nuke the kernel if count == 0.
Do we ever really want a traling newline here? If not then
such code in srm_env.c may cause the least surprises:
if (copy_from_user(buf, buffer, count))
goto out;
if (count > 0 && buf[count-1] == '\n')
count -= 1;
buf[count] = '\0';
ret1 = callback_setenv(entry->id, buf, count);
.....
Although then if want that newline you have to do something
like
echo "extra newline
"
which will be not obvious.
Michal
_______________________________________________
axp-list mailing list
axp-list at redhat.com
https://www.redhat.com/mailman/listinfo/axp-list
More information about the axp-list
mailing list