| Message ID | 1455821754-24940-1-git-send-email-stefanha@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Feb 18, 2016 at 06:55:54PM +0000, Stefan Hajnoczi wrote: > The qword_get() function NUL-terminates its output buffer. If the input > string is in hex format \xXXXX... and the same length as the output > buffer, there is an off-by-one: Thanks, I'll pass this along to Linus soon, for 4.5 and stable. --b. > > int qword_get(char **bpp, char *dest, int bufsize) > { > ... > while (len < bufsize) { > ... > *dest++ = (h << 4) | l; > len++; > } > ... > *dest = '\0'; > return len; > } > > This patch ensures the NUL terminator doesn't fall outside the output > buffer. > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> > --- > net/sunrpc/cache.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c > index 2b32fd6..273bc3a 100644 > --- a/net/sunrpc/cache.c > +++ b/net/sunrpc/cache.c > @@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize) > if (bp[0] == '\\' && bp[1] == 'x') { > /* HEX STRING */ > bp += 2; > - while (len < bufsize) { > + while (len < bufsize - 1) { > int h, l; > > h = hex_to_bin(bp[0]); > -- > 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index 2b32fd6..273bc3a 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, int bufsize) if (bp[0] == '\\' && bp[1] == 'x') { /* HEX STRING */ bp += 2; - while (len < bufsize) { + while (len < bufsize - 1) { int h, l; h = hex_to_bin(bp[0]);
The qword_get() function NUL-terminates its output buffer. If the input string is in hex format \xXXXX... and the same length as the output buffer, there is an off-by-one: int qword_get(char **bpp, char *dest, int bufsize) { ... while (len < bufsize) { ... *dest++ = (h << 4) | l; len++; } ... *dest = '\0'; return len; } This patch ensures the NUL terminator doesn't fall outside the output buffer. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- net/sunrpc/cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)