LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] Do not potentially overflow string in sumversion
@ 2011-01-20 23:00 Jesper Juhl
  2011-01-21  6:18 ` WANG Cong
  0 siblings, 1 reply; 2+ messages in thread
From: Jesper Juhl @ 2011-01-20 23:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: James Morris, James Morris, David S. Miller, David Miller,
	Steve French, Steve French, Andrew Tridgell

In scripts/mod/sumversion.c (in get_src_version()) we call 
getenv("MODVERDIR"). This returns a pointer to a string of unknown length. 
This string of unknown length we then pass on as an argument to sprintf() 
and tell it to write the result to 'filelist' which has a, very much 
fixed, size of 'PATH_MAX + 1'. If the string returned by getenv() is too 
long we'll overrun the statically allocated buffer.
This patch prevents the buffer overrun by using snprintf() and telling it 
to copy a maximum of 'PATH_MAX + 1' bytes (including the terminating \0).

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 sumversion.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

  compile tested only

diff --git a/scripts/mod/sumversion.c b/scripts/mod/sumversion.c
index ecf9c7d..35e9404 100644
--- a/scripts/mod/sumversion.c
+++ b/scripts/mod/sumversion.c
@@ -401,7 +401,7 @@ void get_src_version(const char *modname, char sum[], unsigned sumlen)
 		basename = strrchr(modname, '/') + 1;
 	else
 		basename = modname;
-	sprintf(filelist, "%s/%.*s.mod", modverdir,
+	snprintf(filelist, PATH_MAX + 1, "%s/%.*s.mod", modverdir,
 		(int) strlen(basename) - 2, basename);
 
 	file = grab_file(filelist, &len);


-- 
Jesper Juhl <jj@chaosbits.net>            http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] Do not potentially overflow string in sumversion
  2011-01-20 23:00 [PATCH] Do not potentially overflow string in sumversion Jesper Juhl
@ 2011-01-21  6:18 ` WANG Cong
  0 siblings, 0 replies; 2+ messages in thread
From: WANG Cong @ 2011-01-21  6:18 UTC (permalink / raw)
  To: linux-kernel

On Fri, 21 Jan 2011 00:00:56 +0100, Jesper Juhl wrote:

> In scripts/mod/sumversion.c (in get_src_version()) we call
> getenv("MODVERDIR"). This returns a pointer to a string of unknown
> length. This string of unknown length we then pass on as an argument to
> sprintf() and tell it to write the result to 'filelist' which has a,
> very much fixed, size of 'PATH_MAX + 1'. If the string returned by
> getenv() is too long we'll overrun the statically allocated buffer. This
> patch prevents the buffer overrun by using snprintf() and telling it to
> copy a maximum of 'PATH_MAX + 1' bytes (including the terminating \0).
> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net> ---

Acked-by: WANG Cong <xiyou.wangcong@gmail.com>

Next time, please Cc linux-kbuild for kbuild changes.

Regards.



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-01-21  6:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-20 23:00 [PATCH] Do not potentially overflow string in sumversion Jesper Juhl
2011-01-21  6:18 ` WANG Cong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).