lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <lsq.1519831221.18292864@decadent.org.uk>
Date:   Wed, 28 Feb 2018 15:20:21 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "Juan Zea" <juan.zea@...del.com>,
        "Shuah Khan" <shuahkh@....samsung.com>,
        "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>
Subject: [PATCH 3.2 061/140] usbip: fix usbip bind writing random string
 after command in match_busid

3.2.100-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juan Zea <juan.zea@...del.com>

commit 544c4605acc5ae4afe7dd5914147947db182f2fb upstream.

usbip bind writes commands followed by random string when writing to
match_busid attribute in sysfs, caused by using full variable size
instead of string length.

Signed-off-by: Juan Zea <juan.zea@...del.com>
Acked-by: Shuah Khan <shuahkh@....samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 drivers/staging/usbip/userspace/src/utils.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/staging/usbip/userspace/src/utils.c
+++ b/drivers/staging/usbip/userspace/src/utils.c
@@ -34,6 +34,7 @@ int modify_match_busid(char *busid, int
 	char match_busid_attr_path[SYSFS_PATH_MAX];
 	struct sysfs_attribute *match_busid_attr;
 	int rc, ret = 0;
+	int cmd_size;
 
 	if (strnlen(busid, SYSFS_BUS_ID_SIZE) > SYSFS_BUS_ID_SIZE - 1) {
 		dbg("busid is too long");
@@ -58,13 +59,15 @@ int modify_match_busid(char *busid, int
 	}
 
 	if (add)
-		snprintf(buff, SYSFS_BUS_ID_SIZE + 4, "add %s", busid);
+		cmd_size = snprintf(buff, SYSFS_BUS_ID_SIZE + 4, "add %s",
+				    busid);
 	else
-		snprintf(buff, SYSFS_BUS_ID_SIZE + 4, "del %s", busid);
+		cmd_size = snprintf(buff, SYSFS_BUS_ID_SIZE + 4, "del %s",
+				    busid);
 
 	dbg("write \"%s\" to %s", buff, match_busid_attr->path);
 
-	rc = sysfs_write_attribute(match_busid_attr, buff, sizeof(buff));
+	rc = sysfs_write_attribute(match_busid_attr, buff, cmd_size);
 	if (rc < 0) {
 		dbg("failed to write match_busid: %s", strerror(errno));
 		ret = -1;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ