| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Aug 2017 21:23:53 +0800
From: Pan Bian <bianpan2016@....com>
To: Eric Van Hensbergen <ericvh@...il.com>,
Ron Minnich <rminnich@...dia.gov>,
Latchesar Ionkov <lucho@...kov.net>,
"David S. Miller" <davem@...emloft.net>
Cc: v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, Pan Bian <bianpan2016@....com>
Subject: xen/9pfs: check return value of xenbus_read correctly
In function xen_9pfs_front_probe(), variable len is checked against 0 to
to check the case that xenbus_read() fails. However, xenbus_read() may
return an ERR_PTR pointer even aften assigning a non-zero value to len.
As a result, the check of len cannot prevent from accessing bad memory.
Signed-off-by: Pan Bian <bianpan2016@....com>
---
net/9p/trans_xen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 6ad3e04..c548781 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -389,7 +389,7 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
unsigned int max_rings, max_ring_order, len = 0;
versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
- if (!len)
+ if (IS_ERR(versions))
return -EINVAL;
if (strcmp(versions, "1")) {
kfree(versions);
--
1.9.1
Powered by blists - more mailing lists