Excerpts from David Laight's message of April 18, 2017 18:22:
From: Naveen N. Rao
Sent: 12 April 2017 11:58
...
+kprobe_opcode_t *kprobe_lookup_name(const char *name)
+{
...
+ char dot_name[MODULE_NAME_LEN + 1 + KSYM_NAME_LEN];
+ const char *modsym;
+ bool dot_appended = false;
+ if ((modsym = strchr(name, ':')) != NULL) {
+ modsym++;
+ if (*modsym != '\0' && *modsym != '.') {
+ /* Convert to <module:.symbol> */
+ strncpy(dot_name, name, modsym - name);
+ dot_name[modsym - name] = '.';
+ dot_name[modsym - name + 1] = '\0';
+ strncat(dot_name, modsym,
+ sizeof(dot_name) - (modsym - name) - 2);
+ dot_appended = true;
If the ':' is 'a way down' name[] then although the strncpy() won't
overrun dot_name[] the rest of the code can.
Nice catch, thanks David!
We need to be validating the length of 'name'. I'll put out a patch for
that.
As an aside, I'm not sure I follow what you mean when you say that the
strncpy() won't overrun dot_name[]. If we have a name[] longer than
sizeof(dot_name) with the ':' after that, the strncpy() can also overrun
dot_name[].
- Naveen
The strncat() call is particularly borked.
David
