* [patch] cifs: writing past end of struct in cifs_convert_address()
@ 2012-03-01 7:06 Dan Carpenter
[not found] ` <20120301070652.GA6959-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2012-03-01 7:06 UTC (permalink / raw)
To: Steve French, Jeff Layton; +Cc: linux-cifs, kernel-janitors, samba-technical
"s6->sin6_scope_id" is an int bits but strict_strtoul() writes a long
so this can corrupt memory on 64 bit systems.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
index 73e47e8..cab99b5 100644
--- a/fs/cifs/netmisc.c
+++ b/fs/cifs/netmisc.c
@@ -197,8 +197,7 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
memcpy(scope_id, pct + 1, slen);
scope_id[slen] = '\0';
- rc = strict_strtoul(scope_id, 0,
- (unsigned long *)&s6->sin6_scope_id);
+ rc = kstrtouint(scope_id, 0, &s6->sin6_scope_id);
rc = (rc = 0) ? 1 : 0;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch] cifs: writing past end of struct in cifs_convert_address()
[not found] ` <20120301070652.GA6959-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
@ 2012-03-01 11:47 ` Jeff Layton
2012-03-29 19:57 ` Jeff Layton
1 sibling, 0 replies; 3+ messages in thread
From: Jeff Layton @ 2012-03-01 11:47 UTC (permalink / raw)
To: Dan Carpenter
Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
On Thu, 1 Mar 2012 10:06:52 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> "s6->sin6_scope_id" is an int bits but strict_strtoul() writes a long
> so this can corrupt memory on 64 bit systems.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
> index 73e47e8..cab99b5 100644
> --- a/fs/cifs/netmisc.c
> +++ b/fs/cifs/netmisc.c
> @@ -197,8 +197,7 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
> memcpy(scope_id, pct + 1, slen);
> scope_id[slen] = '\0';
>
> - rc = strict_strtoul(scope_id, 0,
> - (unsigned long *)&s6->sin6_scope_id);
> + rc = kstrtouint(scope_id, 0, &s6->sin6_scope_id);
> rc = (rc = 0) ? 1 : 0;
> }
>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] cifs: writing past end of struct in cifs_convert_address()
[not found] ` <20120301070652.GA6959-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2012-03-01 11:47 ` Jeff Layton
@ 2012-03-29 19:57 ` Jeff Layton
1 sibling, 0 replies; 3+ messages in thread
From: Jeff Layton @ 2012-03-29 19:57 UTC (permalink / raw)
To: Dan Carpenter
Cc: Steve French, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ
On Thu, 1 Mar 2012 10:06:52 +0300
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> "s6->sin6_scope_id" is an int bits but strict_strtoul() writes a long
> so this can corrupt memory on 64 bit systems.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
> index 73e47e8..cab99b5 100644
> --- a/fs/cifs/netmisc.c
> +++ b/fs/cifs/netmisc.c
> @@ -197,8 +197,7 @@ cifs_convert_address(struct sockaddr *dst, const char *src, int len)
> memcpy(scope_id, pct + 1, slen);
> scope_id[slen] = '\0';
>
> - rc = strict_strtoul(scope_id, 0,
> - (unsigned long *)&s6->sin6_scope_id);
> + rc = kstrtouint(scope_id, 0, &s6->sin6_scope_id);
> rc = (rc = 0) ? 1 : 0;
> }
>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-03-29 19:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-01 7:06 [patch] cifs: writing past end of struct in cifs_convert_address() Dan Carpenter
[not found] ` <20120301070652.GA6959-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2012-03-01 11:47 ` Jeff Layton
2012-03-29 19:57 ` Jeff Layton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox