[IA64] SN2: security hole in sn2_ptc_proc_write
authorCliff Wickman <cpw@sgi.com>
Fri, 20 Jun 2008 19:02:00 +0000 (12:02 -0700)
committerTony Luck <tony.luck@intel.com>
Fri, 20 Jun 2008 19:02:00 +0000 (12:02 -0700)
Security hole in sn2_ptc_proc_write

It is possible to overrun a buffer with a write to this /proc file.

Signed-off-by: Cliff Wickman <cpw@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
arch/ia64/sn/kernel/sn2/sn2_smp.c

index 49d3120415eb740154a5469be144e51598775d04..6dd886c5d860a29dd71b7c91a168728ff97b4611 100644 (file)
@@ -512,6 +512,8 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si
        int cpu;
        char optstr[64];
 
+       if (count > sizeof(optstr))
+               return -EINVAL;
        if (copy_from_user(optstr, user, count))
                return -EFAULT;
        optstr[count - 1] = '\0';