From patchwork Wed Jul 14 22:24:37 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Nicolas_de_Peslo=C3=BCan?=
 <nicolas.2p.debian@free.fr>
X-Patchwork-Id: 58936
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 35ED8B6F0C
	for <patchwork-incoming@ozlabs.org>;
	Thu, 15 Jul 2010 08:24:59 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757019Ab0GNWYy (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 14 Jul 2010 18:24:54 -0400
Received: from smtp2f.orange.fr ([80.12.242.151]:21610 "EHLO
	smtp2f.orange.fr"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754522Ab0GNWYx (ORCPT <rfc822;netdev@vger.kernel.org>);
	Wed, 14 Jul 2010 18:24:53 -0400
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf2f08.orange.fr (SMTP Server) with ESMTP id 190488000279;
	Thu, 15 Jul 2010 00:24:52 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf2f08.orange.fr (SMTP Server) with ESMTP id 0BB2B80002D9;
	Thu, 15 Jul 2010 00:24:52 +0200 (CEST)
Received: from kernelpanic (AReims-156-1-83-246.w86-208.abo.wanadoo.fr
	[86.208.42.246])
	by mwinf2f08.orange.fr (SMTP Server) with ESMTP id 9E5DC8000279;
	Thu, 15 Jul 2010 00:24:51 +0200 (CEST)
X-ME-UUID: 20100714222451648.9E5DC8000279@mwinf2f08.orange.fr
From: =?UTF-8?q?Nicolas=20de=20Peslo=C3=BCan?= <nicolas.2p.debian@free.fr>
To: bonding-devel@lists.sourceforge.net, andy@greyhouse.net,
	fubar@us.ibm.com, davem@davemloft.net, netdev@vger.kernel.org
Cc: =?UTF-8?q?Nicolas=20de=20Peslo=C3=BCan?=
	<nicolas.2p.debian@free.fr>
Subject: [PATCH] bonding: fix a buffer overflow in bonding_show_queue_id.
Date: Thu, 15 Jul 2010 00:24:37 +0200
Message-Id: <1279146277-9381-1-git-send-email-nicolas.2p.debian@free.fr>
X-Mailer: git-send-email 1.7.1
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The test for buffer overflow ensures we have room for 6 more bytes.
sprintf, called with %s:%d, slave->dev->name, slave->queue_id may yield
far more than 6 bytes.

The correct test is res > (PAGE_SIZE - IFNAMSIZ - 6) .

Signed-off-by: Nicolas de Pesloüan <nicolas.2p.debian@free.fr>
---
 drivers/net/bonding/bond_sysfs.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
index f9a0343..1a99764 100644
--- a/drivers/net/bonding/bond_sysfs.c
+++ b/drivers/net/bonding/bond_sysfs.c
@@ -1427,8 +1427,8 @@ static ssize_t bonding_show_queue_id(struct device *d,
 
 	read_lock(&bond->lock);
 	bond_for_each_slave(bond, slave, i) {
-		if (res > (PAGE_SIZE - 6)) {
-			/* not enough space for another interface name */
+		if (res > (PAGE_SIZE - IFNAMSIZ - 6)) {
+			/* not enough space for another interface_name:queue_id pair */
 			if ((PAGE_SIZE - res) > 10)
 				res = PAGE_SIZE - 10;
 			res += sprintf(buf + res, "++more++ ");