batman-adv: check proto length before accessing proto string buffer
Commit Message
batadv_param_set_ra() strips the trailing '\n' from the supplied
string buffer without checking the length of the buffer first. This
patches avoids random memory access and associated potential
crashes.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Sat, Apr 27, 2013 at 04:22:28 +0800, Marek Lindner wrote:
> batadv_param_set_ra() strips the trailing '\n' from the supplied
> string buffer without checking the length of the buffer first. This
> patches avoids random memory access and associated potential
> crashes.
>
> Reported-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Thank you for fixing this!
Please, merge this patch in maint.
Cheers,
On Sunday, April 28, 2013 00:01:32 Antonio Quartulli wrote:
> On Sat, Apr 27, 2013 at 04:22:28 +0800, Marek Lindner wrote:
> > batadv_param_set_ra() strips the trailing '\n' from the supplied
> > string buffer without checking the length of the buffer first. This
> > patches avoids random memory access and associated potential
> > crashes.
> >
> >
> >
> > Reported-by: Sasha Levin <sasha.levin@oracle.com>
> > Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
>
> Thank you for fixing this!
>
> Please, merge this patch in maint.
Applied in revision aa7d19a.
Regards,
Marek
@@ -1106,7 +1106,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp)
char *algo_name = (char *)val;
size_t name_len = strlen(algo_name);
- if (algo_name[name_len - 1] == '\n')
+ if (name_len > 0 && algo_name[name_len - 1] == '\n')
algo_name[name_len - 1] = '\0';
bat_algo_ops = batadv_algo_get(algo_name);