Skip to content

Commit

Permalink
bonding: fix a buffer overflow in bonding_show_queue_id.
Browse files Browse the repository at this point in the history 
The test for buffer overflow ensures we have room for 6 more bytes.
sprintf, called with %s:%d, slave->dev->name, slave->queue_id may yield
far more than 6 bytes.

The correct test is res > (PAGE_SIZE - IFNAMSIZ - 6) .

Signed-off-by: Nicolas de Pesloüan <nicolas.2p.debian@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Nicolas de Pesloüan authored and David S. Miller committed Jul 15, 2010
1 parent 04d5821 commit 7923668
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions drivers/net/bonding/bond_sysfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1427,8 +1427,8 @@ static ssize_t bonding_show_queue_id(struct device *d,

read_lock(&bond->lock);
bond_for_each_slave(bond, slave, i) {
if (res > (PAGE_SIZE - 6)) {
/* not enough space for another interface name */
if (res > (PAGE_SIZE - IFNAMSIZ - 6)) {
/* not enough space for another interface_name:queue_id pair */
if ((PAGE_SIZE - res) > 10)
res = PAGE_SIZE - 10;
res += sprintf(buf + res, "++more++ ");
Expand Down

0 comments on commit 7923668

Please sign in to comment.