* [PATCH] [SCSI] scsi_sysfs: fix a buffer overflow in sysfs handling
@ 2012-11-07 10:57 Nikolay Aleksandrov
0 siblings, 0 replies; only message in thread
From: Nikolay Aleksandrov @ 2012-11-07 10:57 UTC (permalink / raw)
To: linux-scsi; +Cc: linux-kernel, JBottomley, nikolay
Fix a stack buffer overflow in the SCSI layer sysfs handling code
(store_host_reset()). When a host reset type is read via sscanf in str
there is no limit on the length and str is defined as char str[10].
How to reproduce:
Given that the sysfs entry exists, execute
echo "AAAAAAAAAAAAAAAA" > /sys/devices/pci0000:00/0000:00:1f.2/ata1/host0/scsi_host/host0/host_reset
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
---
drivers/scsi/scsi_sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index ce5224c..51826e2 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -267,7 +267,7 @@ store_host_reset(struct device *dev, struct device_attribute *attr,
char str[10];
int type;
- sscanf(buf, "%s", str);
+ sscanf(buf, "%9s", str);
type = check_reset_type(str);
if (!type)
--
1.7.11.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-11-07 10:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-07 10:57 [PATCH] [SCSI] scsi_sysfs: fix a buffer overflow in sysfs handling Nikolay Aleksandrov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).