debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity
linux/debian/patches/bugfix/all/xen-netback-fix-debugfs-wri...

66 lines
2.1 KiB
Diff
Raw Blame History

From 588d54039ef4c17c7bba79abe057daf5b69b2330 Mon Sep 17 00:00:00 2001
From: Wei Liu <wei.liu2@citrix.com>
Date: Tue, 12 Aug 2014 11:59:29 +0100
Subject: [PATCH 06/14] xen-netback: fix debugfs write length check
Origin: https://git.kernel.org/linus/5c807005fa60deef2db6616d9b7b24fc4c436be9
Enlarge buffer size and check input length properly, so that we don't
misuse -ENOSPC.
Note that command like "kickXXXX" is still allowed, that's one patch for
another day if we really want to be very strict on this.
Reported-by: SeeChen Ng <seechen81@gmail.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Cc: Zoltan Kiss <zoltan.kiss@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5c807005fa60deef2db6616d9b7b24fc4c436be9)
---
drivers/net/xen-netback/xenbus.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
index 580517d..4c9041e 100644
--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -116,6 +116,7 @@ static int xenvif_read_io_ring(struct seq_file *m, void *v)
}
#define XENVIF_KICK_STR "kick"
+#define BUFFER_SIZE 32
static ssize_t
xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count,
@@ -124,22 +125,24 @@ xenvif_write_io_ring(struct file *filp, const char __user *buf, size_t count,
struct xenvif_queue *queue =
((struct seq_file *)filp->private_data)->private;
int len;
- char write[sizeof(XENVIF_KICK_STR)];
+ char write[BUFFER_SIZE];
/* don't allow partial writes and check the length */
if (*ppos != 0)
return 0;
- if (count < sizeof(XENVIF_KICK_STR) - 1)
+ if (count >= sizeof(write))
return -ENOSPC;
len = simple_write_to_buffer(write,
- sizeof(write),
+ sizeof(write) - 1,
ppos,
buf,
count);
if (len < 0)
return len;
+ write[len] = '\0';
+
if (!strncmp(write, XENVIF_KICK_STR, sizeof(XENVIF_KICK_STR) - 1))
xenvif_interrupt(0, (void *)queue);
else {
--
1.7.10.4
View Git Blame Copy Permalink