From 79236680bde29913dc6bfaf9165973b74223d5f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20de=20Peslo=C3=BCan?= Date: Wed, 14 Jul 2010 18:24:54 -0700 Subject: bonding: fix a buffer overflow in bonding_show_queue_id. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test for buffer overflow ensures we have room for 6 more bytes. sprintf, called with %s:%d, slave->dev->name, slave->queue_id may yield far more than 6 bytes. The correct test is res > (PAGE_SIZE - IFNAMSIZ - 6) . Signed-off-by: Nicolas de Pesloüan Signed-off-by: David S. Miller --- drivers/net/bonding/bond_sysfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/bonding') diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c index f9a0343..1a99764 100644 --- a/drivers/net/bonding/bond_sysfs.c +++ b/drivers/net/bonding/bond_sysfs.c @@ -1427,8 +1427,8 @@ static ssize_t bonding_show_queue_id(struct device *d, read_lock(&bond->lock); bond_for_each_slave(bond, slave, i) { - if (res > (PAGE_SIZE - 6)) { - /* not enough space for another interface name */ + if (res > (PAGE_SIZE - IFNAMSIZ - 6)) { + /* not enough space for another interface_name:queue_id pair */ if ((PAGE_SIZE - res) > 10) res = PAGE_SIZE - 10; res += sprintf(buf + res, "++more++ "); -- cgit v1.1