Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / ad9798967dd67f080bf0e8d611b382a5d292aae2
commitad9798967dd67f080bf0e8d611b382a5d292aae2[log] [tgz]
authorAlan Cox <alan@linux.intel.com>Mon Sep 19 20:15:24 2016 +0100
committerDavid S. Miller <davem@davemloft.net>Tue Sep 20 22:51:30 2016 -0400
tree5aabd6be61938c124e1d67292e6188584a6f304a
parent5737f6c92681939e417579b421f81f035e57c582 [diff]
6pack: fix buffer length mishandling

Dmitry Vyukov wrote:
> different runs). Looking at code, the following looks suspicious -- we
> limit copy by 512 bytes, but use the original count which can be
> larger than 512:
>
> static void sixpack_receive_buf(struct tty_struct *tty,
>     const unsigned char *cp, char *fp, int count)
> {
>     unsigned char buf[512];
>     ....
>     memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
>     ....
>     sixpack_decode(sp, buf, count1);

With the sane tty locking we now have I believe the following is safe as
we consume the bytes and move them into the decoded buffer before
returning.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: 5aabd6be61938c124e1d67292e6188584a6f304a
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitignore
  26. .mailmap
  27. COPYING
  28. CREDITS
  29. Kbuild
  30. Kconfig
  31. MAINTAINERS
  32. Makefile
  33. README
  34. REPORTING-BUGS