diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2013-08-21 20:59:25 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2013-08-21 20:59:25 +0000 |
commit | c00dc738e71e14b314710f250437603357b9207f (patch) | |
tree | da8ca9958a4d4707fd9335916a0291cec173a2c4 /target/linux/generic/patches-3.10/930-crashlog.patch | |
parent | fe86258a3325cfa0810c783ee832b0a3dbb7719f (diff) |
kernel: crashlog: Avoid out-of-bounds write
vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.
Fix this by using vscnprintf which returns the actually written number
of chars.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37820 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux/generic/patches-3.10/930-crashlog.patch')
-rw-r--r-- | target/linux/generic/patches-3.10/930-crashlog.patch | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/target/linux/generic/patches-3.10/930-crashlog.patch b/target/linux/generic/patches-3.10/930-crashlog.patch index 22778c04c7..4aba013eda 100644 --- a/target/linux/generic/patches-3.10/930-crashlog.patch +++ b/target/linux/generic/patches-3.10/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); |