Commit 1ea12fef authored by Kees Cook's avatar Kees Cook Committed by Greg Kroah-Hartman

staging: dgap: fix overflows and format strings

The boot message buffer could potentially overflow the stack and the
heap. Additionally make sure format strings could not leak into printk()
calls.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e72b9da0
...@@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd) ...@@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd)
DGAP_LOCK(dgap_global_lock, flags); DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL; brd->msgbuf = NULL;
printk(brd->msgbuf_head); printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head); kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL; brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags); DGAP_UNLOCK(dgap_global_lock, flags);
...@@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id) ...@@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id)
DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i)); DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
DGAP_LOCK(dgap_global_lock, flags); DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL; brd->msgbuf = NULL;
printk(brd->msgbuf_head); printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head); kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL; brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags); DGAP_UNLOCK(dgap_global_lock, flags);
...@@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t *brd, const char *fmt, ...) { ...@@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t *brd, const char *fmt, ...) {
char buf[1024]; char buf[1024];
int i; int i;
unsigned long flags; unsigned long flags;
size_t length;
DGAP_LOCK(dgap_global_lock, flags); DGAP_LOCK(dgap_global_lock, flags);
/* Format buf using fmt and arguments contained in ap. */ /* Format buf using fmt and arguments contained in ap. */
va_start(ap, fmt); va_start(ap, fmt);
i = vsprintf(buf, fmt, ap); i = vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap); va_end(ap);
DPR((buf)); DPR((buf));
if (!brd || !brd->msgbuf) { if (!brd || !brd->msgbuf) {
printk(buf); printk("%s", buf);
DGAP_UNLOCK(dgap_global_lock, flags); DGAP_UNLOCK(dgap_global_lock, flags);
return; return;
} }
memcpy(brd->msgbuf, buf, strlen(buf)); length = strlen(buf) + 1;
brd->msgbuf += strlen(buf); if (brd->msgbuf - brd->msgbuf_head < length)
*brd->msgbuf = 0; length = brd->msgbuf - brd->msgbuf_head;
memcpy(brd->msgbuf, buf, length);
brd->msgbuf += length;
DGAP_UNLOCK(dgap_global_lock, flags); DGAP_UNLOCK(dgap_global_lock, flags);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment