[PATCH 1/1] can-bcm: fix minor heap overflow
Tim Gardner
tim.gardner at canonical.com
Mon Jan 31 15:46:03 UTC 2011
On 01/31/2011 08:17 AM, Andy Whitcroft wrote:
> From: Oliver Hartkopp<socketcan at hartkopp.net>
>
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
>
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
>
> Reported-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Signed-off-by: Oliver Hartkopp<socketcan at hartkopp.net>
> CC: Linus Torvalds<torvalds at linux-foundation.org>
> Signed-off-by: David S. Miller<davem at davemloft.net>
>
> CVE-2010-3874
> (cherry-picked from 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream)
> BugLink: http://bugs.launchpad.net/bugs/710680
> Signed-off-by: Andy Whitcroft<apw at canonical.com>
> ---
> net/can/bcm.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6b26e6b..d84dfb9 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -123,7 +123,7 @@ struct bcm_sock {
> struct list_head tx_ops;
> unsigned long dropped_usr_msgs;
> struct proc_dir_entry *bcm_proc_read;
> - char procname [9]; /* pointer printed in ASCII with \0 */
> + char procname [20]; /* pointer printed in ASCII with \0 */
> };
>
> static inline struct bcm_sock *bcm_sk(const struct sock *sk)
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list