[Yaffs] yaffs_proc_write may access an out of range buffer a…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: zheng shi
Date:  
To: YAFFS
Subject: [Yaffs] yaffs_proc_write may access an out of range buffer address
In yaffs_proc_write
static int yaffs_proc_write(struct file *file, const char *buf,
                     unsigned long count, void *data)
{
...
        mask_bitfield = simple_strtoul(buf + pos, &end, 0);
        if (end > buf + pos) {
            mask_name = "numeral";
            len = end - (buf + pos);
            pos += len;
            done = 0;
        } else {
...
}


simple_strtoul may cause end>=buf+count.

I think we may need another check-length version of simple_strtoul
which is like nstrcpy v.s. strcpy.

--
Regards, neversetsun