[PATCH] dm: prevent possible buffer overflow in ioctl interface

Use the correct size for "name" in register_with_devfs(). During Al Viro's devfs cleanup a few versions ago, this function was rewritten, and the "name" string added. The 32-byte size is not large enough to prevent a possible buffer overflow in the sprintf() call, since the hash cell can have a name up to 128 characters.
author: Kevin Corry <corryk@us.ibm.com> 2003-02-26 15:15:16 -0800
committer: Linus Torvalds <torvalds@home.transmeta.com> 2003-02-26 15:15:16 -0800
commit: 61a295e889e2097ff515ad74c3082fd794ef5dbb (patch)
tree: 47237fb1a6fc41ddf9c8948d0d9f7c234df5f1bb
parent: 7e2ec88a6e031eac73d064ab6c056b8dacbe1911 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 322de7c4fc32..62fcd80e611d 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -173,14 +173,18 @@ static void free_cell(struct hash_cell *hc)
  */
 static int register_with_devfs(struct hash_cell *hc)
 {
-	char name[32];
 	struct gendisk *disk = dm_disk(hc->md);
+	char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1);
+	if (!name) {
+		return -ENOMEM;
+	}
 
 	sprintf(name, DM_DIR "/%s", hc->name);
 	devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER,
 		       disk->major, disk->first_minor,
 		       S_IFBLK | S_IRUSR | S_IWUSR | S_IRGRP,
 		       &dm_blk_dops, NULL);
+	kfree(name);
 	return 0;
 }
author	Kevin Corry <corryk@us.ibm.com>	2003-02-26 15:15:16 -0800
committer	Linus Torvalds <torvalds@home.transmeta.com>	2003-02-26 15:15:16 -0800
commit	61a295e889e2097ff515ad74c3082fd794ef5dbb (patch)
tree	47237fb1a6fc41ddf9c8948d0d9f7c234df5f1bb
parent	7e2ec88a6e031eac73d064ab6c056b8dacbe1911 (diff)