From patchwork Tue Jul 13 13:21:52 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 58776 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 2DEDAB6F06 for ; Tue, 13 Jul 2010 23:23:36 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756706Ab0GMNXb (ORCPT ); Tue, 13 Jul 2010 09:23:31 -0400 Received: from mail-bw0-f46.google.com ([209.85.214.46]:37793 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756615Ab0GMNX3 (ORCPT ); Tue, 13 Jul 2010 09:23:29 -0400 Received: by bwz1 with SMTP id 1so255216bwz.19 for ; Tue, 13 Jul 2010 06:23:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=PzOmPWtCsHcGDrrnXo0VtsX+vOraloBILaYHPkTm6gQ=; b=S/vllYjgYXXN7XjCkcZFmoZSNfICIdY4u3Yuz1s5P/uguUpcqb1SGkxDBtCmiylf8Q lqmkxaMcAIepvwyWH3XbBNl9MWlwQcO5566xVJ+GkqOVm2IuLv/zbApnNKJS738DSyAX mP52WJifTdBEdxLwNIXF9ipvdz275BCnCDe+8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=TZv/LyWDCxSCWiOLYawCbNGC5TDwy3qoHMJ6Rk2a+jqP0bty73l/xru0WTpApVxLXj Qr2Zh2nWvx3Hh9Vi51nW5rX2QtVTVkgBhfGbmlEOCV8wchHK+vuY7UGn/vQtDAmwzjBp Mm8bJP7RzFzK5hsBspnPbicHgpqQ7rTz+OR0M= Received: by 10.204.178.82 with SMTP id bl18mr11978373bkb.118.1279027407848; Tue, 13 Jul 2010 06:23:27 -0700 (PDT) Received: from bicker ([205.177.176.130]) by mx.google.com with ESMTPS id x19sm23738111bkv.9.2010.07.13.06.23.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 13 Jul 2010 06:23:26 -0700 (PDT) Date: Tue, 13 Jul 2010 15:21:52 +0200 From: Dan Carpenter To: Jamal Hadi Salim Cc: "David S. Miller" , Stephen Hemminger , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org, matthew@wil.cx Subject: [patch] net/sched: potential data corruption Message-ID: <20100713132152.GL5658@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The reset_policy() does: memset(d->tcfd_defdata, 0, SIMP_MAX_DATA); strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA); In the original code, the size of d->tcfd_defdata wasn't fixed and if strlen(defdata) was less than 31, reset_policy() would cause memory corruption. Please Note: The original alloc_defdata() assumes defdata is 32 characters and a NUL terminator while reset_policy() assumes defdata is 31 characters and a NUL. This patch updates alloc_defdata() to match reset_policy() (ie a shorter string). I'm not very familiar with this code so please review carefully. Signed-off-by: Dan Carpenter Acked-by: Jamal Hadi Salim --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c index 1b4bc69..4a1d640 100644 --- a/net/sched/act_simple.c +++ b/net/sched/act_simple.c @@ -73,10 +73,10 @@ static int tcf_simp_release(struct tcf_defact *d, int bind) static int alloc_defdata(struct tcf_defact *d, char *defdata) { - d->tcfd_defdata = kstrndup(defdata, SIMP_MAX_DATA, GFP_KERNEL); + d->tcfd_defdata = kzalloc(SIMP_MAX_DATA, GFP_KERNEL); if (unlikely(!d->tcfd_defdata)) return -ENOMEM; - + strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA); return 0; }