[XFS] Prevent buffer overrun in cmn_err().

The message buffer used by cmn_err() is only 256 bytes and some CXFS messages were exceeding this length. Since we were using vsprintf() and not checking for buffer overruns we were clobbering memory beyond the buffer. The size of the buffer has been increased to 1024 bytes so we can capture these larger messages and we are now using vsnprintf() to prevent overrunning the buffer size. SGI-PV: 958599 SGI-Modid: xfs-linux-melb:xfs-kern:27561a Signed-off-by: Lachlan McIlroy <lachlan@sgi.com> Signed-off-by: Geoffrey Wehrman <gwehrman@sgi.com> Signed-off-by: Tim Shimmin <tes@sgi.com>
git-mirror · Feb 10, 2007 · dc74eaa · dc74eaa
1 parent 585e6d8
commit dc74eaa
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/fs/xfs/support/debug.c b/fs/xfs/support/debug.c
@@ -19,7 +19,7 @@
 #include "debug.h"
 #include "spin.h"
 
-static char		message[256];	/* keep it off the stack */
+static char		message[1024];	/* keep it off the stack */
 static DEFINE_SPINLOCK(xfs_err_lock);
 
 /* Translate from CE_FOO to KERN_FOO, err_level(CE_FOO) == KERN_FOO */
@@ -44,13 +44,14 @@ cmn_err(register int level, char *fmt, ...)
 	spin_lock_irqsave(&xfs_err_lock,flags);
 	va_start(ap, fmt);
 	if (*fmt == '!') fp++;
-	len = vsprintf(message, fp, ap);
-	if (level != CE_DEBUG && message[len-1] != '\n')
-		strcat(message, "\n");
-	printk("%s%s", err_level[level], message);
+	len = vsnprintf(message, sizeof(message), fp, ap);
+	if (len >= sizeof(message))
+		len = sizeof(message) - 1;
+	if (message[len-1] == '\n')
+		message[len-1] = 0;
+	printk("%s%s\n", err_level[level], message);
 	va_end(ap);
 	spin_unlock_irqrestore(&xfs_err_lock,flags);
-
 	BUG_ON(level == CE_PANIC);
 }
 
@@ -64,11 +65,13 @@ icmn_err(register int level, char *fmt, va_list ap)
 	if(level > XFS_MAX_ERR_LEVEL)
 		level = XFS_MAX_ERR_LEVEL;
 	spin_lock_irqsave(&xfs_err_lock,flags);
-	len = vsprintf(message, fmt, ap);
-	if (level != CE_DEBUG && message[len-1] != '\n')
-		strcat(message, "\n");
+	len = vsnprintf(message, sizeof(message), fmt, ap);
+	if (len >= sizeof(message))
+		len = sizeof(message) - 1;
+	if (message[len-1] == '\n')
+		message[len-1] = 0;
+	printk("%s%s\n", err_level[level], message);
 	spin_unlock_irqrestore(&xfs_err_lock,flags);
-	printk("%s%s", err_level[level], message);
 	BUG_ON(level == CE_PANIC);
 }