diff options
author | Cliff Wickman <cpw@sgi.com> | 2008-06-20 15:02:00 -0400 |
---|---|---|
committer | Tony Luck <tony.luck@intel.com> | 2008-06-20 15:02:00 -0400 |
commit | e0c6d97c65e0784aade7e97b9411f245a6c543e7 (patch) | |
tree | dd860efd59feb48050598035301628b79b5b954f /arch/ia64/sn | |
parent | 9bedbcb207ed9a571b239231d99c8fd4a34ae24d (diff) |
[IA64] SN2: security hole in sn2_ptc_proc_write
Security hole in sn2_ptc_proc_write
It is possible to overrun a buffer with a write to this /proc file.
Signed-off-by: Cliff Wickman <cpw@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Diffstat (limited to 'arch/ia64/sn')
-rw-r--r-- | arch/ia64/sn/kernel/sn2/sn2_smp.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/ia64/sn/kernel/sn2/sn2_smp.c b/arch/ia64/sn/kernel/sn2/sn2_smp.c index 49d3120415eb..6dd886c5d860 100644 --- a/arch/ia64/sn/kernel/sn2/sn2_smp.c +++ b/arch/ia64/sn/kernel/sn2/sn2_smp.c | |||
@@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si | |||
512 | int cpu; | 512 | int cpu; |
513 | char optstr[64]; | 513 | char optstr[64]; |
514 | 514 | ||
515 | if (count > sizeof(optstr)) | ||
516 | return -EINVAL; | ||
515 | if (copy_from_user(optstr, user, count)) | 517 | if (copy_from_user(optstr, user, count)) |
516 | return -EFAULT; | 518 | return -EFAULT; |
517 | optstr[count - 1] = '\0'; | 519 | optstr[count - 1] = '\0'; |