lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Mar 2007 17:24:56 +0900 From: Paul Mundt <lethal@...ux-sh.org> To: Ben Dooks <ben@...ff.org.uk> Cc: linux-kernel@...r.kernel.org, linux-fbdev-devel@...ts.sourceforge.net Subject: [PATCH] fb: sm501fb off-by-1 sysfs store Currently sm501fb_crtsrc_store() won't allow the routing to be changed via echos from userspace in to the sysfs file. The reason for this is that the strnicmp() for both heads uses a sizeof() for the string length, which ends up being strlen() + 1 (\0 in the normal case, but the echo gives a newline, which is where the issue occurs), this then causes a mismatch and subsequently bails with the -EINVAL. In addition to this, the hardcoded lengths were then used for the store length that was returned, which ended up being erroneous and resulting in a write error. There's also no point in returning anything but the full length since it will -EINVAL out on a mismatch well before then anyways. sizeof("string") is great for making sure you have space in your buffer, but rather less so for string comparisons :-) Signed-off-by: Paul Mundt <lethal@...ux-sh.org> -- drivers/video/sm501fb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/sm501fb.c b/drivers/video/sm501fb.c index 02b290c..72b5358 100644 --- a/drivers/video/sm501fb.c +++ b/drivers/video/sm501fb.c @@ -1074,9 +1074,9 @@ static ssize_t sm501fb_crtsrc_store(struct device *dev, if (len < 1) return -EINVAL; - if (strnicmp(buf, "crt", sizeof("crt")) == 0) + if (strnicmp(buf, "crt", 3) == 0) head = HEAD_CRT; - else if (strnicmp(buf, "panel", sizeof("panel")) == 0) + else if (strnicmp(buf, "panel", 5) == 0) head = HEAD_PANEL; else return -EINVAL; @@ -1098,7 +1098,7 @@ static ssize_t sm501fb_crtsrc_store(struct device *dev, writel(ctrl, info->regs + SM501_DC_CRT_CONTROL); sm501fb_sync_regs(info); - return (head == HEAD_CRT) ? 3 : 5; + return len; } /* Prepare the device_attr for registration with sysfs later */ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists