aboutsummaryrefslogtreecommitdiffstats
path: root/arch/sparc/kernel
diff options
context:
space:
mode:
authorChen Gang <gang.chen@asianux.com>2013-06-22 01:26:09 -0400
committerDavid S. Miller <davem@davemloft.net>2013-07-10 16:35:51 -0400
commitf118e9abddfae94d7ef88858159d7556e1c2f7f6 (patch)
treef5c58406820460df5083e5352c26cca6b87adac9 /arch/sparc/kernel
parentbfffbea1aaeeb1eb6500c83ff9653416daa5b490 (diff)
arch: sparc: kernel: check the memory length before use strcpy().
For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc/kernel')
-rw-r--r--arch/sparc/kernel/ds.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
index 5ef48dab5636..11d460f6f9cc 100644
--- a/arch/sparc/kernel/ds.c
+++ b/arch/sparc/kernel/ds.c
@@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value)
783 char *base, *p; 783 char *base, *p;
784 int msg_len, loops; 784 int msg_len, loops;
785 785
786 if (strlen(var) + strlen(value) + 2 >
787 sizeof(pkt) - sizeof(pkt.header)) {
788 printk(KERN_ERR PFX
789 "contents length: %zu, which more than max: %lu,"
790 "so could not set (%s) variable to (%s).\n",
791 strlen(var) + strlen(value) + 2,
792 sizeof(pkt) - sizeof(pkt.header), var, value);
793 return;
794 }
795
786 memset(&pkt, 0, sizeof(pkt)); 796 memset(&pkt, 0, sizeof(pkt));
787 pkt.header.data.tag.type = DS_DATA; 797 pkt.header.data.tag.type = DS_DATA;
788 pkt.header.data.handle = cp->handle; 798 pkt.header.data.handle = cp->handle;