[PATCH 14/41] TTY: ttyprintk, don't touch behind tty->write_buf

From: Jiri Slaby
Date: Tue Aug 07 2012 - 16:01:44 EST

Next message: Jiri Slaby: "[PATCH 25/41] TTY: add tty_port_link_device"
Previous message: Jiri Slaby: "[PATCH 13/41] TTY: ttyprintk, unregister tty driver on failure"
In reply to: Jiri Slaby: "[PATCH 13/41] TTY: ttyprintk, unregister tty driver on failure"
Next in thread: Jiri Slaby: "[PATCH 25/41] TTY: add tty_port_link_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If a user provides a buffer larger than a tty->write_buf chunk and
passes '\r' at the end of the buffer, we touch an out-of-bound memory.

Add a check there to prevent this.

Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx (everything maintained past v2.6.37)
Cc: Samo Pogacnik <samo_pogacnik@xxxxxxx>
---
drivers/char/ttyprintk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/ttyprintk.c b/drivers/char/ttyprintk.c
index 9b1e5e0..08755c5 100644
--- a/drivers/char/ttyprintk.c
+++ b/drivers/char/ttyprintk.c
@@ -67,7 +67,7 @@ static int tpk_printk(const unsigned char *buf, int count)
tmp[tpk_curr + 1] = '\0';
printk(KERN_INFO "%s%s", tpk_tag, tmp);
tpk_curr = 0;
- if (buf[i + 1] == '\n')
+ if ((i + 1) < count && buf[i + 1] == '\n')
i++;
break;
case '\n':
--
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Slaby: "[PATCH 25/41] TTY: add tty_port_link_device"
Previous message: Jiri Slaby: "[PATCH 13/41] TTY: ttyprintk, unregister tty driver on failure"
In reply to: Jiri Slaby: "[PATCH 13/41] TTY: ttyprintk, unregister tty driver on failure"
Next in thread: Jiri Slaby: "[PATCH 25/41] TTY: add tty_port_link_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]