summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2014-02-21 21:38:34 +0100
committerDavid S. Miller <davem@davemloft.net>2014-02-25 00:54:25 +0100
commit20b0c718c3bb122107bebadbb8ecf4bab76fb392 (patch)
tree1408cdb798aacbb27a42fe735b6658289c6004ec
parentMerge branch 'qlcnic-next' (diff)
downloadlinux-20b0c718c3bb122107bebadbb8ecf4bab76fb392.tar.xz
linux-20b0c718c3bb122107bebadbb8ecf4bab76fb392.zip
pktgen: fix out-of-bounds access in pgctrl_write()
If a privileged user writes an empty string to /proc/net/pktgen/pgctrl the code for stripping the (then non-existent) '\n' actually writes the zero byte at index -1 of data[]. The then still uninitialized array will very likely fail the command matching tests and the pr_warning() at the end will therefore leak stack bytes to the kernel log. Fix those issues by simply ensuring we're passed a non-empty string as the user API apparently expects a trailing '\n' for all commands. Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/core/pktgen.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index fdac61cac1bd..cc07c434948a 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -485,6 +485,9 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
goto out;
}
+ if (count == 0)
+ return -EINVAL;
+
if (count > sizeof(data))
count = sizeof(data);
@@ -492,7 +495,7 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
err = -EFAULT;
goto out;
}
- data[count - 1] = 0; /* Make string */
+ data[count - 1] = 0; /* Strip trailing '\n' and terminate string */
if (!strcmp(data, "stop"))
pktgen_stop_all_threads_ifs(pn);