| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1457366570.15205.18.camel@decadent.org.uk>
Date: Mon, 07 Mar 2016 16:02:50 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: David Decotigny <ddecotig@...il.com>, netdev@...r.kernel.org
Cc: Jeff Garzik <jgarzik@...ox.com>, David Miller <davem@...hat.com>,
Vidya Sagar Ravipati <vidya@...ulusnetworks.com>,
Joe Perches <joe@...ches.com>,
David Decotigny <decot@...glers.com>
Subject: Re: [ethtool PATCH v3 03/12] ethtool.c: fix dump_regs heap
corruption
On Fri, 2016-03-04 at 16:42 -0800, David Decotigny wrote:
> From: David Decotigny <decot@...glers.com>
>
> The 'regs' pointer is owned by do_gregs(), but updated internally inside
> dump_regs() without propagating it back to do_gregs(): later free(regs)
> in do_gregs() reclaims the wrong area. This commit moves the realloc()
> inside do_gregs().
Wow, how did we ever get away with this?
Maybe no-one ever used this feature - it certainly makes very little
sense to save a register dump without the driver name or version
number, and then to assume that a loaded register dump matches the
running driver!
[...]
> @@ -2711,7 +2691,31 @@ static int do_gregs(struct cmd_context *ctx)
> free(regs);
> return 74;
> }
> - if (dump_regs(gregs_dump_raw, gregs_dump_hex, gregs_dump_file,
> +
> + if ((!gregs_dump_raw) && (NULL != gregs_dump_file)) {
[...]
Redundant parentheses, and the comparison is written the wrong way
round.
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow Lindberg
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists