| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20101112023950.GA8145@verge.net.au>
Date: Fri, 12 Nov 2010 11:39:50 +0900
From: Simon Horman <horms@...ge.net.au>
To: Oliver Hartkopp <socketcan@...tkopp.net>
Cc: David Miller <davem@...emloft.net>,
Linux Netdev List <netdev@...r.kernel.org>,
Dan Rosenberg <drosenberg@...curity.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Urs Thuermann <urs@...ogud.escape.de>, security@...nel.org
Subject: Re: can-bcm: fix minor heap overflow
On Wed, Nov 10, 2010 at 11:10:30PM +0100, Oliver Hartkopp wrote:
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
>
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
>
> Reported-by: Dan Rosenberg <drosenberg@...curity.com>
> Signed-off-by: Oliver Hartkopp <socketcan@...tkopp.net>
> CC: Linus Torvalds <torvalds@...ux-foundation.org>
>
> ---
>
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 08ffe9e..6faa825 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -125,7 +125,7 @@ struct bcm_sock {
> struct list_head tx_ops;
> unsigned long dropped_usr_msgs;
> struct proc_dir_entry *bcm_proc_read;
> - char procname [9]; /* pointer printed in ASCII with \0 */
> + char procname [20]; /* pointer printed in ASCII with \0 */
> };
If the string may be up to 17 bytes long why are you allocating 20?
> static inline struct bcm_sock *bcm_sk(const struct sock *sk)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists