* [PATCH] x86: Buffer overflow
@ 2009-07-28 17:46 Roel Kluin
0 siblings, 0 replies; only message in thread
From: Roel Kluin @ 2009-07-28 17:46 UTC (permalink / raw)
To: mingo, LKML, Andrew Morton
If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is writen past the end of vendor[].
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Found with Parfait, http://research.sun.com/projects/parfait/
diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 96f7ac0..436a42f 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
*/
c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-07-28 17:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-28 17:46 [PATCH] x86: Buffer overflow Roel Kluin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.