[lvc-project] [PATCH 2/2] procfs.c: Increasing array size
Alexey Khoroshilov
khoroshilov at ispras.ru
Mon Jan 8 19:56:44 MSK 2024
On 16.11.2023 10:05, Andrey Shumilin wrote:
> The maximum size in bytes of the port->base and port->base_hi
> variables is 20 bytes per variable, since they are copied in
> decimal notation. Two more characters are \t and \n.
> A maximum of 42 bytes can be written to a buffer variable.
I would update subject and description like that:
paport: Fix potential buffer overflow in do_hardware_base_addr()
The maximum size after expansion for the "%lu\t%lu\n"
is 20+1+20+1+1 = 43 bytes, while buffer is of size 20 bytes.
So buffer overflow may happen.
Otherwise, looks good to me.
Reviewed-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Andrey Shumilin <shum.sdl at nppct.ru>
> ---
> drivers/parport/procfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
> index bd388560ed59..9b894f7cb581 100644
> --- a/drivers/parport/procfs.c
> +++ b/drivers/parport/procfs.c
> @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write,
> void *result, size_t *lenp, loff_t *ppos)
> {
> struct parport *port = (struct parport *)table->extra1;
> - char buffer[20];
> + char buffer[44];
> int len = 0;
>
> if (*ppos) {
>
More information about the lvc-project
mailing list