Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 0eff683f737bf684dc9299e2eaca79cceb80a8c1
commit0eff683f737bf684dc9299e2eaca79cceb80a8c1[log] [tgz]
authorDan Carpenter <error27@gmail.com>Wed Jul 14 17:56:37 2010 -0700
committerDavid S. Miller <davem@davemloft.net>Wed Jul 14 17:56:37 2010 -0700
treeab92685be15606c06dbab82c581a3b1c0da72986
parentf8320f059296eb8cab6e2429c7ec79b43d42cf42 [diff]
net/sched: potential data corruption

The reset_policy() does:
        memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
        strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);

In the original code, the size of d->tcfd_defdata wasn't fixed and if
strlen(defdata) was less than 31, reset_policy() would cause memory
corruption.

Please Note:  The original alloc_defdata() assumes defdata is 32
characters and a NUL terminator while reset_policy() assumes defdata is
31 characters and a NUL.  This patch updates alloc_defdata() to match
reset_policy() (ie a shorter string).  I'm not very familiar with this
code so please review carefully.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: ab92685be15606c06dbab82c581a3b1c0da72986
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS