diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-09-03 05:02:32 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-09-04 00:27:27 -0400 |
| commit | cab6ce9ebe89303bbf5eff442776188070a22771 (patch) | |
| tree | 09a1fd1803efce93d399bd741d5f63a2f809890b | |
| parent | 0b536be7b987de14dab63ea565fc1e271a7f3a5f (diff) | |
caif: add a sanity check to the tty name
"tty->name" and "name" are a 64 character buffers. My static checker
complains because we add the "cf" on the front so it look like we are
copying a 66 character string into a 64 character buffer.
Also if the name is larger than IFNAMSIZ (16) it triggers a BUG_ON()
inside the call to alloc_netdev().
This is all under CAP_SYS_ADMIN so it's not a security fix, it just adds
a little robustness.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/caif/caif_serial.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c index 34dea95d58db..88a6a5810ec6 100644 --- a/drivers/net/caif/caif_serial.c +++ b/drivers/net/caif/caif_serial.c | |||
| @@ -347,7 +347,9 @@ static int ldisc_open(struct tty_struct *tty) | |||
| 347 | /* release devices to avoid name collision */ | 347 | /* release devices to avoid name collision */ |
| 348 | ser_release(NULL); | 348 | ser_release(NULL); |
| 349 | 349 | ||
| 350 | sprintf(name, "cf%s", tty->name); | 350 | result = snprintf(name, sizeof(name), "cf%s", tty->name); |
| 351 | if (result >= IFNAMSIZ) | ||
| 352 | return -EINVAL; | ||
| 351 | dev = alloc_netdev(sizeof(*ser), name, caifdev_setup); | 353 | dev = alloc_netdev(sizeof(*ser), name, caifdev_setup); |
| 352 | if (!dev) | 354 | if (!dev) |
| 353 | return -ENOMEM; | 355 | return -ENOMEM; |