git.archive.openwrt.org Git - openwrt.git/commit

kernel: crashlog: Avoid out-of-bounds write

vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.

Fix this by using vscnprintf which returns the actually written number
of chars.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37820 3c298f89-4303-0410-b956-a3cf2f4a3e73

author	nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
	Wed, 21 Aug 2013 20:59:25 +0000 (20:59 +0000)
committer	nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
	Wed, 21 Aug 2013 20:59:25 +0000 (20:59 +0000)
commit	c00dc738e71e14b314710f250437603357b9207f
tree	da8ca9958a4d4707fd9335916a0291cec173a2c4	tree \| snapshot
parent	fe86258a3325cfa0810c783ee832b0a3dbb7719f	commit \| diff

target/linux/generic/patches-3.10/930-crashlog.patch		diff \| blob \| history
target/linux/generic/patches-3.3/930-crashlog.patch		diff \| blob \| history
target/linux/generic/patches-3.6/930-crashlog.patch		diff \| blob \| history
target/linux/generic/patches-3.8/930-crashlog.patch		diff \| blob \| history
target/linux/generic/patches-3.9/930-crashlog.patch		diff \| blob \| history