Don't write more than the requested number of bytes of an batman-adv icmp packet to the userspace buffer. Otherwise unrelated userspace memory might get overwritten by the kernel.
Reported-by: Paul Kot pawlkt@gmail.com Signed-off-by: Sven Eckelmann sven@narfation.org --- Marek pointed out that it is better to merge patch 1 and 2. I think it doesn't make sense to leave Paul Kot as author because it doesn't look like his patch at all.
And thanks to Andrew for s/overridden/overwritten/
icmp_socket.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/icmp_socket.c b/icmp_socket.c index 5bc8649..66923d2 100644 --- a/icmp_socket.c +++ b/icmp_socket.c @@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
spin_unlock_bh(&socket_client->lock);
- error = __copy_to_user(buf, &socket_packet->icmp_packet, - socket_packet->icmp_len); + packet_len = min(count, socket_packet->icmp_len); + error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
- packet_len = socket_packet->icmp_len; kfree(socket_packet);
if (error)