Commit ad979896 authored by Alan Cox's avatar Alan Cox Committed by David S. Miller

6pack: fix buffer length mishandling

Dmitry Vyukov wrote:
> different runs). Looking at code, the following looks suspicious -- we
> limit copy by 512 bytes, but use the original count which can be
> larger than 512:
>
> static void sixpack_receive_buf(struct tty_struct *tty,
>     const unsigned char *cp, char *fp, int count)
> {
>     unsigned char buf[512];
>     ....
>     memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
>     ....
>     sixpack_decode(sp, buf, count1);

With the sane tty locking we now have I believe the following is safe as
we consume the bytes and move them into the decoded buffer before
returning.
Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5737f6c9
...@@ -127,7 +127,7 @@ struct sixpack { ...@@ -127,7 +127,7 @@ struct sixpack {
#define AX25_6PACK_HEADER_LEN 0 #define AX25_6PACK_HEADER_LEN 0
static void sixpack_decode(struct sixpack *, unsigned char[], int); static void sixpack_decode(struct sixpack *, const unsigned char[], int);
static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char); static int encode_sixpack(unsigned char *, unsigned char *, int, unsigned char);
/* /*
...@@ -428,7 +428,7 @@ static void sixpack_write_wakeup(struct tty_struct *tty) ...@@ -428,7 +428,7 @@ static void sixpack_write_wakeup(struct tty_struct *tty)
/* /*
* Handle the 'receiver data ready' interrupt. * Handle the 'receiver data ready' interrupt.
* This function is called by the 'tty_io' module in the kernel when * This function is called by the tty module in the kernel when
* a block of 6pack data has been received, which can now be decapsulated * a block of 6pack data has been received, which can now be decapsulated
* and sent on to some IP layer for further processing. * and sent on to some IP layer for further processing.
*/ */
...@@ -436,7 +436,6 @@ static void sixpack_receive_buf(struct tty_struct *tty, ...@@ -436,7 +436,6 @@ static void sixpack_receive_buf(struct tty_struct *tty,
const unsigned char *cp, char *fp, int count) const unsigned char *cp, char *fp, int count)
{ {
struct sixpack *sp; struct sixpack *sp;
unsigned char buf[512];
int count1; int count1;
if (!count) if (!count)
...@@ -446,10 +445,7 @@ static void sixpack_receive_buf(struct tty_struct *tty, ...@@ -446,10 +445,7 @@ static void sixpack_receive_buf(struct tty_struct *tty,
if (!sp) if (!sp)
return; return;
memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
/* Read the characters out of the buffer */ /* Read the characters out of the buffer */
count1 = count; count1 = count;
while (count) { while (count) {
count--; count--;
...@@ -459,7 +455,7 @@ static void sixpack_receive_buf(struct tty_struct *tty, ...@@ -459,7 +455,7 @@ static void sixpack_receive_buf(struct tty_struct *tty,
continue; continue;
} }
} }
sixpack_decode(sp, buf, count1); sixpack_decode(sp, cp, count1);
sp_put(sp); sp_put(sp);
tty_unthrottle(tty); tty_unthrottle(tty);
...@@ -992,7 +988,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd) ...@@ -992,7 +988,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd)
/* decode a 6pack packet */ /* decode a 6pack packet */
static void static void
sixpack_decode(struct sixpack *sp, unsigned char *pre_rbuff, int count) sixpack_decode(struct sixpack *sp, const unsigned char *pre_rbuff, int count)
{ {
unsigned char inbyte; unsigned char inbyte;
int count1; int count1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment