Buffer overflow in fs/devpts/root.c

Message ID 19980930154303.A14398@tantalophile.demon.co.uk
State New, archived
Headers show
Series
  • Buffer overflow in fs/devpts/root.c
Related show

Commit Message

Jamie Lokier Sept. 30, 1998, 2:43 p.m. UTC
I haven't tested this, but it should be self explanatory.
I don't even use devpts, I just spotted this while reading.

If you look up a name like /dev/pts/9999 it'd get messy.
If you look up /dev/pts/4294967296, it'd be accepted and a dentry
kept for it.  That's silly.

-- Jamie

----- end of patch -----

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Patch

--- /usr/src/linux/fs/devpts/root.c	Wed Aug 26 19:18:54 1998
+++ /tmp/root.c	Wed Sep 30 15:39:35 1998
@@ -152,12 +152,16 @@ 
 		if ( *p < '1' || *p > '9' )
 			return 0;
 		entry = *p++ - '0';
+		if ( entry >= sbi->max_ptys )
+			return 0;
 
 		for ( i = dentry->d_name.len-1 ; i ; i-- ) {
 			if ( *p < '0' || *p > '9' )
 				return 0;
 			entry *= 10;
 			entry += (*p++ - '0');
+			if ( entry >= sbi->max_ptys )
+				return 0;
 		}
 	}