Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
GfA
/
linux_kernel
5
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Эх сурвалжийг харах

s390/sclp: always stay within bounds of the early sccb

Make sure the _sclp_print_lm function stays within bounds of the early
sccb, even if the passed string is very long.  If the string is too
long, the remaining characters will be dropped.

Suggested-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Heiko Carstens 8 жил өмнө
parent
742dc5773c
commit
f031974859
1 өөрчлөгдсөн 6 нэмэгдсэн , 1 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 6 1
      arch/s390/kernel/sclp.c

+ 6 - 1
arch/s390/kernel/sclp.c
Файл харах 

@@ -132,16 +132,21 @@ static void _sclp_print_lm(const char *str)
 
 		0x10, 0x00,					/* 4 */
 
 		0x00, 0x00, 0x00, 0x00				/* 6 */
 
 	};
 
-	unsigned char *ptr, ch;
 
+	unsigned char *ptr, *end_ptr, ch;
 
 	unsigned int count;
 
 
 	memcpy(_sclp_work_area, write_head, sizeof(write_head));
 
 	ptr = _sclp_work_area + sizeof(write_head);
 
+	end_ptr = _sclp_work_area + sizeof(_sclp_work_area) - 1;
 
 	do {
 
+		if (ptr + sizeof(write_mto) > end_ptr)
 
+			break;
 
 		memcpy(ptr, write_mto, sizeof(write_mto));
 
 		for (count = sizeof(write_mto); (ch = *str++) != 0; count++) {
 
 			if (ch == 0x0a)
 
 				break;
 
+			if (ptr > end_ptr)
 
+				break;
 
 			ptr[count] = _ascebc[ch];
 
 		}
 
 		/* Update length fields in mto, mdb, evbuf and sccb */