char: lp: fix possible integer overflow in lp_setup()
authorWilly Tarreau <w@1wt.eu>
Tue, 16 May 2017 17:18:55 +0000 (19:18 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 16 May 2017 21:05:20 +0000 (23:05 +0200)
The lp_setup() code doesn't apply any bounds checking when passing
"lp=none", and only in this case, resulting in an overflow of the
parport_nr[] array. All versions in Git history are affected.

Reported-By: Roee Hay <roee.hay@hcl.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/char/lp.c

index 565e4cf04a0215934e9b0f4df6f4398fbd0b2344..8249762192d55ed86a9794895a6faab01afe649e 100644 (file)
@@ -859,7 +859,11 @@ static int __init lp_setup (char *str)
        } else if (!strcmp(str, "auto")) {
                parport_nr[0] = LP_PARPORT_AUTO;
        } else if (!strcmp(str, "none")) {
-               parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+               if (parport_ptr < LP_NO)
+                       parport_nr[parport_ptr++] = LP_PARPORT_NONE;
+               else
+                       printk(KERN_INFO "lp: too many ports, %s ignored.\n",
+                              str);
        } else if (!strcmp(str, "reset")) {
                reset = 1;
        }