Commit 7c679fe7 authored by Ilya Matveychikov's avatar Ilya Matveychikov Committed by Greg Kroah-Hartman

lib/cmdline.c: fix get_options() overflow while parsing ranges

commit a91e0f68 upstream.

When using get_options() it's possible to specify a range of numbers,
like 1-100500.  The problem is that it doesn't track array size while
calling internally to get_range() which iterates over the range and
fills the memory with numbers.

Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@gmail.comSigned-off-by: default avatarIlya V. Matveychikov <matvejchikov@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent bc6eecff
...@@ -22,14 +22,14 @@ ...@@ -22,14 +22,14 @@
* the values[M, M+1, ..., N] into the ints array in get_options. * the values[M, M+1, ..., N] into the ints array in get_options.
*/ */
static int get_range(char **str, int *pint) static int get_range(char **str, int *pint, int n)
{ {
int x, inc_counter, upper_range; int x, inc_counter, upper_range;
(*str)++; (*str)++;
upper_range = simple_strtol((*str), NULL, 0); upper_range = simple_strtol((*str), NULL, 0);
inc_counter = upper_range - *pint; inc_counter = upper_range - *pint;
for (x = *pint; x < upper_range; x++) for (x = *pint; n && x < upper_range; x++, n--)
*pint++ = x; *pint++ = x;
return inc_counter; return inc_counter;
} }
...@@ -96,7 +96,7 @@ char *get_options(const char *str, int nints, int *ints) ...@@ -96,7 +96,7 @@ char *get_options(const char *str, int nints, int *ints)
break; break;
if (res == 3) { if (res == 3) {
int range_nums; int range_nums;
range_nums = get_range((char **)&str, ints + i); range_nums = get_range((char **)&str, ints + i, nints - i);
if (range_nums < 0) if (range_nums < 0)
break; break;
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment