66 lines
2.1 KiB
Diff
66 lines
2.1 KiB
Diff
From 588d54039ef4c17c7bba79abe057daf5b69b2330 Mon Sep 17 00:00:00 2001
|
|
From: Wei Liu <wei.liu2@citrix.com>
|
|
Date: Tue, 12 Aug 2014 11:59:29 +0100
|
|
Subject: [PATCH 06/14] xen-netback: fix debugfs write length check
|
|
Origin: https://git.kernel.org/linus/5c807005fa60deef2db6616d9b7b24fc4c436be9
|
|
|
|
Enlarge buffer size and check input length properly, so that we don't
|
|
misuse -ENOSPC.
|
|
|
|
Note that command like "kickXXXX" is still allowed, that's one patch for
|
|
another day if we really want to be very strict on this.
|
|
|
|
Reported-by: SeeChen Ng <seechen81@gmail.com>
|
|
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
|
|
Cc: Zoltan Kiss <zoltan.kiss@citrix.com>
|
|
Cc: Ian Campbell <ian.campbell@citrix.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
(cherry picked from commit 5c807005fa60deef2db6616d9b7b24fc4c436be9)
|
|
---
|
|
drivers/net/xen-netback/xenbus.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
|
|
index 580517d..4c9041e 100644
|
|
--- a/drivers/net/xen-netback/xenbus.c
|
|
+++ b/drivers/net/xen-netback/xenbus.c
|
|
@@ -116,6 +116,7 @@ static int xenvif_read_io_ring(struct seq_file *m, void *v)
|
|
}
|
|
|
|
#define XENVIF_KICK_STR "kick"
|
|
+#define BUFFER_SIZE 32
|
|
|
|
static ssize_t
|
|
xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count,
|
|
@@ -124,22 +125,24 @@ xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count,
|
|
struct xenvif_queue *queue =
|
|
((struct seq_file *)filp->private_data)->private;
|
|
int len;
|
|
- char write[sizeof(XENVIF_KICK_STR)];
|
|
+ char write[BUFFER_SIZE];
|
|
|
|
/* don't allow partial writes and check the length */
|
|
if (*ppos != 0)
|
|
return 0;
|
|
- if (count < sizeof(XENVIF_KICK_STR) - 1)
|
|
+ if (count >= sizeof(write))
|
|
return -ENOSPC;
|
|
|
|
len = simple_write_to_buffer(write,
|
|
- sizeof(write),
|
|
+ sizeof(write) - 1,
|
|
ppos,
|
|
buf,
|
|
count);
|
|
if (len < 0)
|
|
return len;
|
|
|
|
+ write[len] = '\0';
|
|
+
|
|
if (!strncmp(write, XENVIF_KICK_STR, sizeof(XENVIF_KICK_STR) - 1))
|
|
xenvif_interrupt(0, (void *)queue);
|
|
else {
|
|
--
|
|
1.7.10.4
|
|
|