Inicio Explorar Axuda
Iniciar sesión
GfA
/
linux_kernel
5
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

6pack: fix buffer length mishandling

Dmitry Vyukov wrote:
> different runs). Looking at code, the following looks suspicious -- we
> limit copy by 512 bytes, but use the original count which can be
> larger than 512:
>
> static void sixpack_receive_buf(struct tty_struct *tty,
>     const unsigned char *cp, char *fp, int count)
> {
>     unsigned char buf[512];
>     ....
>     memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
>     ....
>     sixpack_decode(sp, buf, count1);

With the sane tty locking we now have I believe the following is safe as
we consume the bytes and move them into the decoded buffer before
returning.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alan Cox %!s(int64=9) %!d(string=hai) anos
pai
5737f6c926
achega
ad9798967d
Modificáronse 1 ficheiros con 4 adicións e 8 borrados
Unificar vista Mostrar estatísticas de Diff
  1. 4 8
      drivers/net/hamradio/6pack.c

+ 4 - 8
drivers/net/hamradio/6pack.c
Ver ficheiro 

@@ -127,7 +127,7 @@ struct sixpack {
 
 
 
 #define AX25_6PACK_HEADER_LEN 0
 
 #define AX25_6PACK_HEADER_LEN 0
 
 
 
-static void sixpack_decode(struct sixpack *, unsigned char[], int);
 
+static void sixpack_decode(struct sixpack *, const unsigned char[], int);
 
 static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char);
 
 static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char);
 
 
 
 /*
 
 /*
 
@@ -428,7 +428,7 @@ out:
 
 
 
 /*
 
 /*
 
  * Handle the 'receiver data ready' interrupt.
 
  * Handle the 'receiver data ready' interrupt.
 
- * This function is called by the 'tty_io' module in the kernel when
 
+ * This function is called by the tty module in the kernel when
 
  * a block of 6pack data has been received, which can now be decapsulated
 
  * a block of 6pack data has been received, which can now be decapsulated
 
  * and sent on to some IP layer for further processing.
 
  * and sent on to some IP layer for further processing.
 
  */
 
  */
 
@@ -436,7 +436,6 @@ static void sixpack_receive_buf(struct tty_struct *tty,
 
 	const unsigned char *cp, char *fp, int count)
 
 	const unsigned char *cp, char *fp, int count)
 
 {
 
 {
 
 	struct sixpack *sp;
 
 	struct sixpack *sp;
 
-	unsigned char buf[512];
 
 	int count1;
 
 	int count1;
 
 
 
 	if (!count)
 
 	if (!count)
 
@@ -446,10 +445,7 @@ static void sixpack_receive_buf(struct tty_struct *tty,
 
 	if (!sp)
 
 	if (!sp)
 
 		return;
 
 		return;
 
 
 
-	memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
 
-
 
 	/* Read the characters out of the buffer */
 
 	/* Read the characters out of the buffer */
 
-
 
 	count1 = count;
 
 	count1 = count;
 
 	while (count) {
 
 	while (count) {
 
 		count--;
 
 		count--;
 
@@ -459,7 +455,7 @@ static void sixpack_receive_buf(struct tty_struct *tty,
 
 			continue;
 
 			continue;
 
 		}
 
 		}
 
 	}
 
 	}
 
-	sixpack_decode(sp, buf, count1);
 
+	sixpack_decode(sp, cp, count1);
 
 
 
 	sp_put(sp);
 
 	sp_put(sp);
 
 	tty_unthrottle(tty);
 
 	tty_unthrottle(tty);
 
@@ -992,7 +988,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd)
 
 /* decode a 6pack packet */
 
 /* decode a 6pack packet */
 
 
 
 static void
 
 static void
 
-sixpack_decode(struct sixpack *sp, unsigned char *pre_rbuff, int count)
 
+sixpack_decode(struct sixpack *sp, const unsigned char *pre_rbuff, int count)
 
 {
 
 {
 
 	unsigned char inbyte;
 
 	unsigned char inbyte;
 
 	int count1;
 
 	int count1;