diff options
author | Dan Carpenter <error27@gmail.com> | 2010-07-15 04:56:37 +0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-07-15 04:56:37 +0400 |
commit | 0eff683f737bf684dc9299e2eaca79cceb80a8c1 (patch) | |
tree | ab92685be15606c06dbab82c581a3b1c0da72986 /mm/msync.c | |
parent | f8320f059296eb8cab6e2429c7ec79b43d42cf42 (diff) | |
download | linux-0eff683f737bf684dc9299e2eaca79cceb80a8c1.tar.xz |
net/sched: potential data corruption
The reset_policy() does:
memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
In the original code, the size of d->tcfd_defdata wasn't fixed and if
strlen(defdata) was less than 31, reset_policy() would cause memory
corruption.
Please Note: The original alloc_defdata() assumes defdata is 32
characters and a NUL terminator while reset_policy() assumes defdata is
31 characters and a NUL. This patch updates alloc_defdata() to match
reset_policy() (ie a shorter string). I'm not very familiar with this
code so please review carefully.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'mm/msync.c')
0 files changed, 0 insertions, 0 deletions