From patchwork Tue Aug 12 10:59:29 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Liu X-Patchwork-Id: 379297 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6A118140096 for ; Tue, 12 Aug 2014 20:59:44 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752204AbaHLK7j (ORCPT ); Tue, 12 Aug 2014 06:59:39 -0400 Received: from smtp.citrix.com ([66.165.176.89]:31541 "EHLO SMTP.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752157AbaHLK7d (ORCPT ); Tue, 12 Aug 2014 06:59:33 -0400 X-IronPort-AV: E=Sophos;i="5.01,848,1400025600"; d="scan'208";a="160900690" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.79) with Microsoft SMTP Server id 14.3.181.6; Tue, 12 Aug 2014 06:59:31 -0400 Received: from dt47.uk.xensource.com ([10.80.229.47] helo=dt47.uk.xensource.com.) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XH9nf-00049Y-03; Tue, 12 Aug 2014 11:59:31 +0100 From: Wei Liu To: , CC: , , Wei Liu Subject: [PATCH net 1/2] xen-netback: fix debugfs write length check Date: Tue, 12 Aug 2014 11:59:29 +0100 Message-ID: <1407841170-20916-2-git-send-email-wei.liu2@citrix.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1407841170-20916-1-git-send-email-wei.liu2@citrix.com> References: <1407841170-20916-1-git-send-email-wei.liu2@citrix.com> MIME-Version: 1.0 X-DLP: MIA2 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Enlarge buffer size and check input length properly, so that we don't misuse -ENOSPC. Note that command like "kickXXXX" is still allowed, that's one patch for another day if we really want to be very strict on this. Reported-by: SeeChen Ng Signed-off-by: Wei Liu Cc: Zoltan Kiss Cc: Ian Campbell --- drivers/net/xen-netback/xenbus.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c index 580517d..4c9041e 100644 --- a/drivers/net/xen-netback/xenbus.c +++ b/drivers/net/xen-netback/xenbus.c @@ -116,6 +116,7 @@ static int xenvif_read_io_ring(struct seq_file *m, void *v) } #define XENVIF_KICK_STR "kick" +#define BUFFER_SIZE 32 static ssize_t xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count, @@ -124,22 +125,24 @@ xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count, struct xenvif_queue *queue = ((struct seq_file *)filp->private_data)->private; int len; - char write[sizeof(XENVIF_KICK_STR)]; + char write[BUFFER_SIZE]; /* don't allow partial writes and check the length */ if (*ppos != 0) return 0; - if (count < sizeof(XENVIF_KICK_STR) - 1) + if (count >= sizeof(write)) return -ENOSPC; len = simple_write_to_buffer(write, - sizeof(write), + sizeof(write) - 1, ppos, buf, count); if (len < 0) return len; + write[len] = '\0'; + if (!strncmp(write, XENVIF_KICK_STR, sizeof(XENVIF_KICK_STR) - 1)) xenvif_interrupt(0, (void *)queue); else {