Commit c00b6856 authored by Paul Kot's avatar Paul Kot Committed by Marek Lindner

batman-adv: bat_socket_read missing checks

Writing a icmp_packet_rr and then reading icmp_packet can lead to kernel
memory corruption, if __user *buf is just below TASK_SIZE.
Signed-off-by: default avatarPaul Kot <pawlkt@gmail.com>
[sven@narfation.org: made it checkpatch clean]
Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
Signed-off-by: default avatarMarek Lindner <lindner_marek@yahoo.de>
parent 69497c17
...@@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf, ...@@ -136,8 +136,8 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock); spin_unlock_bh(&socket_client->lock);
error = __copy_to_user(buf, &socket_packet->icmp_packet, error = copy_to_user(buf, &socket_packet->icmp_packet,
socket_packet->icmp_len); socket_packet->icmp_len);
packet_len = socket_packet->icmp_len; packet_len = socket_packet->icmp_len;
kfree(socket_packet); kfree(socket_packet);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment