From edc8daeffeef93f2bd705e0dca33539f55b506fb Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 21 Aug 2013 20:59:25 +0000 Subject: kernel: crashlog: Avoid out-of-bounds write vsnprintf returns the number of chars that would have been written, not the actual number of chars written. This can lead to crashlog_buf->len being too big which in turn can lead to get_maxlen() returning negative numbers. The length argument of kmsg_dump_get_buffer will be casted to a size_t which makes a negative input a big positive number allowing kmsg_dump_get_buffer to write out of bounds. Fix this by using vscnprintf which returns the actually written number of chars. Signed-off-by: Helmut Schaa git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37820 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- target/linux/generic/patches-3.9/930-crashlog.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'target/linux/generic/patches-3.9') diff --git a/target/linux/generic/patches-3.9/930-crashlog.patch b/target/linux/generic/patches-3.9/930-crashlog.patch index 867e5bb2f3..d20c32d0d7 100644 --- a/target/linux/generic/patches-3.9/930-crashlog.patch +++ b/target/linux/generic/patches-3.9/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); -- cgit v1.2.3