[Yaffs] yaffs_proc_write may access an out of range buffer a…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: zheng shi
Date:  
To: YAFFS
Subject: [Yaffs] yaffs_proc_write may access an out of range buffer address
In yaffs_proc_write
static int yaffs_proc_write(struct file *file, const char *buf,
                     unsigned long count, void *data)
{
...
        mask_bitfield = simple_strtoul(buf + pos, &end, 0);
        if (end > buf + pos) {
            mask_name = "numeral";
            len = end - (buf + pos);
            pos += len;
            done = 0;
        } else {
...
}


simple_strtoul may cause end>=buf+count.

I think we may need another check-length version of simple_strtoul
which is like nstrcpy v.s. strcpy.

--
Regards, neversetsun


This message was posted to the following mailing lists:
YAFFS
Mailing List Info | Nearby Messages		<-[Yaffs] YAFFS2 Decalring a explicit interface for llseekRe: [Yaffs] Kenrel 2.6.28-rc8 removes prepare_write/commit_write...->
Stoneboat Mailing List Archive administrated by JennyLurker (version 2.3)