can-bcm: fix minor heap overflow

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* can-bcm: fix minor heap overflow
@ 2010-11-10 22:10 Oliver Hartkopp
  2010-11-12  2:39 ` Simon Horman
  2010-11-12 22:07 ` David Miller
  0 siblings, 2 replies; 5+ messages in thread
From: Oliver Hartkopp @ 2010-11-10 22:10 UTC (permalink / raw)
  To: David Miller
  Cc: Linux Netdev List, Dan Rosenberg, Linus Torvalds, Urs Thuermann,
	security

On 64-bit platforms the ASCII representation of a pointer may be up to 17
bytes long. This patch increases the length of the buffer accordingly.

http://marc.info/?l=linux-netdev&m=128872251418192&w=2

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
CC: Linus Torvalds <torvalds@linux-foundation.org>

---

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 08ffe9e..6faa825 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -125,7 +125,7 @@ struct bcm_sock {
 	struct list_head tx_ops;
 	unsigned long dropped_usr_msgs;
 	struct proc_dir_entry *bcm_proc_read;
-	char procname [9]; /* pointer printed in ASCII with \0 */
+	char procname [20]; /* pointer printed in ASCII with \0 */
 };

 static inline struct bcm_sock *bcm_sk(const struct sock *sk)


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: can-bcm: fix minor heap overflow
  2010-11-10 22:10 can-bcm: fix minor heap overflow Oliver Hartkopp
@ 2010-11-12  2:39 ` Simon Horman
  2010-11-12  2:43   ` Dan Rosenberg
  2010-11-12 22:07 ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Simon Horman @ 2010-11-12  2:39 UTC (permalink / raw)
  To: Oliver Hartkopp
  Cc: David Miller, Linux Netdev List, Dan Rosenberg, Linus Torvalds,
	Urs Thuermann, security

On Wed, Nov 10, 2010 at 11:10:30PM +0100, Oliver Hartkopp wrote:
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
> 
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
> 
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> CC: Linus Torvalds <torvalds@linux-foundation.org>
> 
> ---
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 08ffe9e..6faa825 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -125,7 +125,7 @@ struct bcm_sock {
>  	struct list_head tx_ops;
>  	unsigned long dropped_usr_msgs;
>  	struct proc_dir_entry *bcm_proc_read;
> -	char procname [9]; /* pointer printed in ASCII with \0 */
> +	char procname [20]; /* pointer printed in ASCII with \0 */
>  };

If the string may be up to 17 bytes long why are you allocating 20?

>  static inline struct bcm_sock *bcm_sk(const struct sock *sk)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: can-bcm: fix minor heap overflow
  2010-11-12  2:39 ` Simon Horman
@ 2010-11-12  2:43   ` Dan Rosenberg
  2010-11-12  2:48     ` Simon Horman
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Rosenberg @ 2010-11-12  2:43 UTC (permalink / raw)
  To: Simon Horman
  Cc: Oliver Hartkopp, David Miller, Linux Netdev List, Linus Torvalds,
	Urs Thuermann, security


> 
> If the string may be up to 17 bytes long why are you allocating 20?
> 

In Oliver's defense, this doesn't matter even a little bit.  The
structure will be allocated with kmalloc-1024 either way.

-Dan


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: can-bcm: fix minor heap overflow
  2010-11-12  2:43   ` Dan Rosenberg
@ 2010-11-12  2:48     ` Simon Horman
  0 siblings, 0 replies; 5+ messages in thread
From: Simon Horman @ 2010-11-12  2:48 UTC (permalink / raw)
  To: Dan Rosenberg
  Cc: Oliver Hartkopp, David Miller, Linux Netdev List, Linus Torvalds,
	Urs Thuermann, security

On Thu, Nov 11, 2010 at 09:43:58PM -0500, Dan Rosenberg wrote:
> 
> > 
> > If the string may be up to 17 bytes long why are you allocating 20?
> > 
> 
> In Oliver's defense, this doesn't matter even a little bit.  The
> structure will be allocated with kmalloc-1024 either way.

I agree that its very unlikely to make any difference.
I am just curious.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: can-bcm: fix minor heap overflow
  2010-11-10 22:10 can-bcm: fix minor heap overflow Oliver Hartkopp
  2010-11-12  2:39 ` Simon Horman
@ 2010-11-12 22:07 ` David Miller
  1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2010-11-12 22:07 UTC (permalink / raw)
  To: socketcan; +Cc: netdev, drosenberg, torvalds, urs, security

From: Oliver Hartkopp <socketcan@hartkopp.net>
Date: Wed, 10 Nov 2010 23:10:30 +0100

> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
> 
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
> 
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> CC: Linus Torvalds <torvalds@linux-foundation.org>

Patch applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-11-12 22:07 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-10 22:10 can-bcm: fix minor heap overflow Oliver Hartkopp
2010-11-12  2:39 ` Simon Horman
2010-11-12  2:43   ` Dan Rosenberg
2010-11-12  2:48     ` Simon Horman
2010-11-12 22:07 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).