[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov@nokia.com>
Date: Tue, 5 Oct 2010 12:38:05 +0400
From: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@...ia.com>
To: menage@...gle.com, lizf@...fujitsu.com
Cc: akpm@...ux-foundation.org, kamezawa.hiroyu@...fujitsu.com,
bblum@...rew.cmu.edu, containers@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org, ext-eugeny.kuznetsov@...ia.com
Subject: [PATCH 1/1] cgroups: strcpy destination string overflow
From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@...ia.com>
Function "strcpy" is used without check for maximum allowed source
string length and could cause destination string overflow.
Check for string length is added before using "strcpy".
Function now is return error if source string length is more than
a maximum.
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@...ia.com>
---
kernel/cgroup.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index c9483d8..82bbede 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
const char *buffer)
{
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ if (strlen(buffer) >= PATH_MAX)
+ return -EINVAL;
if (!cgroup_lock_live_group(cgrp))
return -ENODEV;
strcpy(cgrp->root->release_agent_path, buffer);
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists