* [PATCH] x86: Buffer overflow
@ 2009-07-28 17:46 Roel Kluin
0 siblings, 0 replies; only message in thread
From: Roel Kluin @ 2009-07-28 17:46 UTC (permalink / raw)
To: mingo, LKML, Andrew Morton
If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is writen past the end of vendor[].
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Found with Parfait, http://research.sun.com/projects/parfait/
diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 96f7ac0..436a42f 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
*/
c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-07-28 17:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-28 17:46 [PATCH] x86: Buffer overflow Roel Kluin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox