[B.A.T.M.A.N.] [PATCH] batman-adv: check proto length before accessing proto string buffer
batadv_param_set_ra() strips the trailing '\n' from the supplied string buffer without checking the length of the buffer first. This patches avoids random memory access and associated potential crashes.
Reported-by: Sasha Levin sasha.levin@oracle.com Signed-off-by: Marek Lindner lindner_marek@yahoo.de --- main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/main.c b/main.c index 8a8fd00..f07dd6b 100644 --- a/main.c +++ b/main.c @@ -1106,7 +1106,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp) char *algo_name = (char *)val; size_t name_len = strlen(algo_name);
- if (algo_name[name_len - 1] == '\n') + if (name_len > 0 && algo_name[name_len - 1] == '\n') algo_name[name_len - 1] = '\0';
bat_algo_ops = batadv_algo_get(algo_name);
On Sat, Apr 27, 2013 at 04:22:28 +0800, Marek Lindner wrote:
batadv_param_set_ra() strips the trailing '\n' from the supplied string buffer without checking the length of the buffer first. This patches avoids random memory access and associated potential crashes.
Reported-by: Sasha Levin sasha.levin@oracle.com Signed-off-by: Marek Lindner lindner_marek@yahoo.de
Thank you for fixing this!
Please, merge this patch in maint.
Cheers,
On Sunday, April 28, 2013 00:01:32 Antonio Quartulli wrote:
On Sat, Apr 27, 2013 at 04:22:28 +0800, Marek Lindner wrote:
batadv_param_set_ra() strips the trailing '\n' from the supplied string buffer without checking the length of the buffer first. This patches avoids random memory access and associated potential crashes.
Reported-by: Sasha Levin sasha.levin@oracle.com Signed-off-by: Marek Lindner lindner_marek@yahoo.de
Thank you for fixing this!
Please, merge this patch in maint.
Applied in revision aa7d19a.
Regards, Marek
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
Marek Lindner