| Revision | 6ab2cfa4f0a04c11932af701b5437879dd14d8bb (tree) |
|---|---|
| Zeit | 2007-11-12 02:43:41 |
| Autor | dann frazier <dannf@dann...> |
| Commiter | Willy Tarreau |
[PATCH 3/4] [OpenPROM] Prevent overflow of sprintf buffer
This patch fixes a few potential overflows, originally submitted to 2.5 by
Dave Miller:
Signed-off-by: dann frazier <dannf@hp.com>
fs/openpromfs/inode.c (diff)| @@ -285,24 +285,27 @@ static ssize_t property_read(struct file *filp, char *buf, | ||
| 285 | 285 | k += count; |
| 286 | 286 | |
| 287 | 287 | } else if (op->flag & OPP_HEXSTRING) { |
| 288 | - char buffer[2]; | |
| 288 | + char buffer[3]; | |
| 289 | 289 | |
| 290 | 290 | if ((k < i - 1) && (k & 1)) { |
| 291 | - sprintf (buffer, "%02x", *(op->value + (k >> 1))); | |
| 291 | + sprintf (buffer, "%02x", | |
| 292 | + (unsigned char) *(op->value + (k >> 1)) & 0xff); | |
| 292 | 293 | if (put_user(buffer[1], &buf[k++ - pos])) |
| 293 | 294 | return -EFAULT; |
| 294 | 295 | count--; |
| 295 | 296 | } |
| 296 | 297 | |
| 297 | 298 | for (; (count > 1) && (k < i - 1); k += 2) { |
| 298 | - sprintf (buffer, "%02x", *(op->value + (k >> 1))); | |
| 299 | + sprintf (buffer, "%02x", | |
| 300 | + (unsigned char) *(op->value + (k >> 1)) & 0xff); | |
| 299 | 301 | if (copy_to_user (buf + k - pos, buffer, 2)) |
| 300 | 302 | return -EFAULT; |
| 301 | 303 | count -= 2; |
| 302 | 304 | } |
| 303 | 305 | |
| 304 | 306 | if (count && (k < i - 1)) { |
| 305 | - sprintf (buffer, "%02x", *(op->value + (k >> 1))); | |
| 307 | + sprintf (buffer, "%02x", | |
| 308 | + (unsigned char) *(op->value + (k >> 1)) & 0xff); | |
| 306 | 309 | if (put_user(buffer[0], &buf[k++ - pos])) |
| 307 | 310 | return -EFAULT; |
| 308 | 311 | count--; |
Linux Kernel Documents
Fork