Patch "parisc: memory overflow, 'name' length is too short for using" has been added to the 3.9-stable tree

Fri, 21 Jun 2013 08:47:58 -0700 

This is a note to let you know that I've just added the patch titled

    parisc: memory overflow, 'name' length is too short for using

to the 3.9-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     parisc-memory-overflow-name-length-is-too-short-for-using.patch
and it can be found in the queue-3.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 3f108de96ba449a8df3d7e3c053bf890fee2cb95 Mon Sep 17 00:00:00 2001
From: Chen Gang <[email protected]>
Date: Mon, 27 May 2013 04:57:09 +0000
Subject: parisc: memory overflow, 'name' length is too short for using

From: Chen Gang <[email protected]>

commit 3f108de96ba449a8df3d7e3c053bf890fee2cb95 upstream.

'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
* "%u:" + "%u" + '\0') may be 21.

Since 'name' length is 20, it may be memory overflow.

And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
max length of 'name' must be less than 28.

So simplify thinking, we can use 28 instead of 20 directly, and do not
think of whether 'patchc.bc[i]' can '> 100'.

Signed-off-by: Chen Gang <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 arch/parisc/kernel/drivers.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/parisc/kernel/drivers.c
+++ b/arch/parisc/kernel/drivers.c
@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
 static void setup_bus_id(struct parisc_device *padev)
 {
        struct hardware_path path;
-       char name[20];
+       char name[28];
        char *output = name;
        int i;
 


Patches currently in stable-queue which might be from [email protected] are

queue-3.9/parisc-kernel-using-strlcpy-instead-of-strcpy.patch
queue-3.9/parisc-memory-overflow-name-length-is-too-short-for-using.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to