• Alan Cox's avatar
    6pack: fix buffer length mishandling · ad979896
    Alan Cox authored
    Dmitry Vyukov wrote:
    > different runs). Looking at code, the following looks suspicious -- we
    > limit copy by 512 bytes, but use the original count which can be
    > larger than 512:
    >
    > static void sixpack_receive_buf(struct tty_struct *tty,
    >     const unsigned char *cp, char *fp, int count)
    > {
    >     unsigned char buf[512];
    >     ....
    >     memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
    >     ....
    >     sixpack_decode(sp, buf, count1);
    
    With the sane tty locking we now have I believe the following is safe as
    we consume the bytes and move them into the decoded buffer before
    returning.
    Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ad979896
6pack.c 24.3 KB