lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20101008121302.b281e84a.akpm@linux-foundation.org>
Date:	Fri, 8 Oct 2010 12:13:02 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Namhyung Kim <namhyung@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] lib/parser: cleanup match_number()

On Sat,  9 Oct 2010 00:44:17 +0900
Namhyung Kim <namhyung@...il.com> wrote:

> Use new variable 'len' to make code more readable.
> 
> Signed-off-by: Namhyung Kim <namhyung@...il.com>
> ---
>  lib/parser.c |    7 ++++---
>  1 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/parser.c b/lib/parser.c
> index fb34977..6e89eca 100644
> --- a/lib/parser.c
> +++ b/lib/parser.c
> @@ -128,12 +128,13 @@ static int match_number(substring_t *s, int *result, int base)
>  	char *endp;
>  	char *buf;
>  	int ret;
> +	size_t len = s->to - s->from;
>  
> -	buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
> +	buf = kmalloc(len + 1, GFP_KERNEL);
>  	if (!buf)
>  		return -ENOMEM;
> -	memcpy(buf, s->from, s->to - s->from);
> -	buf[s->to - s->from] = '\0';
> +	memcpy(buf, s->from, len);
> +	buf[len] = '\0';
>  	*result = simple_strtol(buf, &endp, base);
>  	ret = 0;
>  	if (endp == buf)

Fair enough.  `len' should strictly be ptrdiff_t and then later on it
wants to be size_t. I can't think of much to do about that...

The function itself looks a bit buggy to me:

static int match_number(substring_t *s, int *result, int base)
{
	char *endp;
	char *buf;
	int ret;
	size_t len = s->to - s->from;

	buf = kmalloc(len + 1, GFP_KERNEL);
	if (!buf)
		return -ENOMEM;
	memcpy(buf, s->from, len);
	buf[len] = '\0';
	*result = simple_strtol(buf, &endp, base);
	ret = 0;
	if (endp == buf)
		ret = -EINVAL;
	kfree(buf);
	return ret;
}

afaict, if you feed it "12q34" then simple_strtoul() will return a
pointer to the 'q' and the result is 12.  The `if (endp == buf)' check
will return false, so this function's attempt to check that all digits
were valid doesn't work right.

If I'm correct, that's fixable by using strict_strtol() or by switching
the test to "if (*endp == '\0')" or similar.  But fixing this may
easily break existing kernel code and existing machine installations,
so we need to tread carefully.




--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ