From: Kevin Corry <corryk@us.ibm.com>
To: Joe Perches <joe@perches.com>, "LKML" <linux-kernel@vger.kernel.org>
Cc: Linus Torvalds <torvalds@transmeta.com>,
Joe Thornber <joe@fib011235813.fsnet.co.uk>
Subject: Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface
Date: Fri, 28 Feb 2003 08:59:25 -0600 [thread overview]
Message-ID: <03022808592509.05199@boiler> (raw)
In-Reply-To: <OF06EBF3D5.39937A14-ON87256CDB.004FD627@us.ibm.com>
On Friday 28 February 2003 08:32, you wrote:
> On Thu, 2003-02-27 at 14:05, Kevin Corry wrote:
> > Unfortunately, Linus seems to have committed that patch already. So here
> > is a patch to fix just that line.
> >
> > Thanks for catching that.
>
> Third time, strlen isn't necessary, it can be done at compile time.
>
> --- a/drivers/md/dm-ioctl.c 2003/02/27 16:29:58
> +++ b/drivers/md/dm-ioctl.c 2003/02/27 17:21:54
> @@ -174,7 +174,7 @@
> static int register_with_devfs(struct hash_cell *hc)
> {
> struct gendisk *disk = dm_disk(hc->md);
> - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
> + char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR));
> if (!name) {
> return -ENOMEM;
> }
Sorry, I sent the last patch before I got your email.
Also, the "+1" is still necessary, even if we switch to sizeof. The sprintf
call that follows copies DM_DIR, followed by a slash, followed by the name
from the hash table into the allocated string. The "+1" is for the slash in
the middle. The terminating NULL character is accounted for in DM_NAME_LEN.
Linus, here is (yet another!) patch against current BK.
--
Kevin Corry
corryk@us.ibm.com
http://evms.sourceforge.net/
--- linux-2.5.63-bk4a/drivers/md/dm-ioctl.c Fri Feb 28 08:43:19 2003
+++ linux-2.5.63-bk4b/drivers/md/dm-ioctl.c Fri Feb 28 08:44:08 2003
@@ -174,7 +174,7 @@
static int register_with_devfs(struct hash_cell *hc)
{
struct gendisk *disk = dm_disk(hc->md);
- char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL);
+ char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR) + 1, GFP_KERNEL);
if (!name) {
return -ENOMEM;
}
next parent reply other threads:[~2003-02-28 14:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <OF06EBF3D5.39937A14-ON87256CDB.004FD627@us.ibm.com>
2003-02-28 14:59 ` Kevin Corry [this message]
2003-02-28 18:14 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Horst von Brand
2003-02-28 18:31 ` Kevin Corry
2003-02-26 17:05 device-mapper patchset 2.5.63-dm-1 Joe Thornber
2003-02-26 17:09 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Joe Thornber
2003-02-26 21:04 ` Horst von Brand
2003-02-27 14:20 ` Kevin Corry
2003-02-27 14:36 ` Kevin Corry
2003-02-27 16:25 ` Roland Dreier
2003-02-27 16:34 ` Kevin Corry
2003-02-27 22:05 ` Kevin Corry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03022808592509.05199@boiler \
--to=corryk@us.ibm.com \
--cc=joe@fib011235813.fsnet.co.uk \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox