1. 23 Dec, 2015 1 commit
  2. 05 Mar, 2015 1 commit
    • Steven Rostedt (Red Hat)'s avatar
      seq_buf: Fix seq_buf_bprintf() truncation · 4d4eb4d4
      Steven Rostedt (Red Hat) authored
      In seq_buf_bprintf(), bstr_printf() is used to copy the format into the
      buffer remaining in the seq_buf structure. The return of bstr_printf()
      is the amount of characters written to the buffer excluding the '\0',
      unless the line was truncated!
      
      If the line copied does not fit, it is truncated, and a '\0' is added
      to the end of the buffer. But in this case, '\0' is included in the length
      of the line written. To know if the buffer had overflowed, the return
      length will be the same or greater than the length of the buffer passed in.
      
      The check in seq_buf_bprintf() only checked if the length returned from
      bstr_printf() would fit in the buffer, as the seq_buf_bprintf() is only
      to be an all or nothing command. It either writes all the string into
      the seq_buf, or none of it. If the string is truncated, the pointers
      inside the seq_buf must be reset to what they were when the function was
      called. This is not the case. On overflow, it copies only part of the string.
      
      The fix is to change the overflow check to see if the length returned from
      bstr_printf() is less than the length remaining in the seq_buf buffer, and not
      if it is less than or equal to as it currently does. Then seq_buf_bprintf()
      will know if the write from bstr_printf() was truncated or not.
      
      Link: http://lkml.kernel.org/r/1425500481.2712.27.camel@perches.com
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      4d4eb4d4
  3. 04 Mar, 2015 1 commit
    • Steven Rostedt (Red Hat)'s avatar
      seq_buf: Fix seq_buf_vprintf() truncation · 4a8fe4e1
      Steven Rostedt (Red Hat) authored
      In seq_buf_vprintf(), vsnprintf() is used to copy the format into the
      buffer remaining in the seq_buf structure. The return of vsnprintf()
      is the amount of characters written to the buffer excluding the '\0',
      unless the line was truncated!
      
      If the line copied does not fit, it is truncated, and a '\0' is added
      to the end of the buffer. But in this case, '\0' is included in the length
      of the line written. To know if the buffer had overflowed, the return
      length will be the same as the length of the buffer passed in.
      
      The check in seq_buf_vprintf() only checked if the length returned from
      vsnprintf() would fit in the buffer, as the seq_buf_vprintf() is only
      to be an all or nothing command. It either writes all the string into
      the seq_buf, or none of it. If the string is truncated, the pointers
      inside the seq_buf must be reset to what they were when the function was
      called. This is not the case. On overflow, it copies only part of the string.
      
      The fix is to change the overflow check to see if the length returned from
      vsnprintf() is less than the length remaining in the seq_buf buffer, and not
      if it is less than or equal to as it currently does. Then seq_buf_vprintf()
      will know if the write from vsnpritnf() was truncated or not.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      4a8fe4e1
  4. 14 Feb, 2015 1 commit
  5. 20 Nov, 2014 9 commits