staging: dgap: fix overflows and format strings

The boot message buffer could potentially overflow the stack and the
heap. Additionally make sure format strings could not leak into printk()
calls.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Kees Cook 2013-09-10 21:40:43 -07:00 committed by Greg Kroah-Hartman
parent e72b9da083
commit 1ea12fef83

View File

@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd)
DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL;
printk(brd->msgbuf_head);
printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags);
@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id)
DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
DGAP_LOCK(dgap_global_lock, flags);
brd->msgbuf = NULL;
printk(brd->msgbuf_head);
printk("%s", brd->msgbuf_head);
kfree(brd->msgbuf_head);
brd->msgbuf_head = NULL;
DGAP_UNLOCK(dgap_global_lock, flags);
@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t *brd, const char *fmt, ...) {
char buf[1024];
int i;
unsigned long flags;
size_t length;
DGAP_LOCK(dgap_global_lock, flags);
/* Format buf using fmt and arguments contained in ap. */
va_start(ap, fmt);
i = vsprintf(buf, fmt, ap);
i = vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
DPR((buf));
if (!brd || !brd->msgbuf) {
printk(buf);
printk("%s", buf);
DGAP_UNLOCK(dgap_global_lock, flags);
return;
}
memcpy(brd->msgbuf, buf, strlen(buf));
brd->msgbuf += strlen(buf);
*brd->msgbuf = 0;
length = strlen(buf) + 1;
if (brd->msgbuf - brd->msgbuf_head < length)
length = brd->msgbuf - brd->msgbuf_head;
memcpy(brd->msgbuf, buf, length);
brd->msgbuf += length;
DGAP_UNLOCK(dgap_global_lock, flags);
}