vsnprintf returns the number of chars that would have been written, not the actual number of chars written. This can lead to crashlog_buf->len being too big which in turn can lead to get_maxlen() returning negative numbers. The length argument of kmsg_dump_get_buffer will be casted to a size_t which makes a negative input a big positive number allowing kmsg_dump_get_buffer to write out of bounds.
Fix this by using vscnprintf which returns the actually written number of chars. Signed-off-by: Helmut Schaa <[email protected]> --- Only tested on 3.10. target/linux/generic/patches-3.10/930-crashlog.patch | 2 +- target/linux/generic/patches-3.3/930-crashlog.patch | 2 +- target/linux/generic/patches-3.6/930-crashlog.patch | 2 +- target/linux/generic/patches-3.8/930-crashlog.patch | 2 +- target/linux/generic/patches-3.9/930-crashlog.patch | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/target/linux/generic/patches-3.10/930-crashlog.patch b/target/linux/generic/patches-3.10/930-crashlog.patch index 22778c0..4aba013 100644 --- a/target/linux/generic/patches-3.10/930-crashlog.patch +++ b/target/linux/generic/patches-3.10/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.3/930-crashlog.patch b/target/linux/generic/patches-3.3/930-crashlog.patch index f6a52f3..9a10723 100644 --- a/target/linux/generic/patches-3.3/930-crashlog.patch +++ b/target/linux/generic/patches-3.3/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.6/930-crashlog.patch b/target/linux/generic/patches-3.6/930-crashlog.patch index 8c1a18a..8892399 100644 --- a/target/linux/generic/patches-3.6/930-crashlog.patch +++ b/target/linux/generic/patches-3.6/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.8/930-crashlog.patch b/target/linux/generic/patches-3.8/930-crashlog.patch index da0d800..4d0fc02 100644 --- a/target/linux/generic/patches-3.8/930-crashlog.patch +++ b/target/linux/generic/patches-3.8/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.9/930-crashlog.patch b/target/linux/generic/patches-3.9/930-crashlog.patch index 867e5bb..d20c32d 100644 --- a/target/linux/generic/patches-3.9/930-crashlog.patch +++ b/target/linux/generic/patches-3.9/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); -- 1.7.10.4 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
