Prev: [PATCH next-next-2.6 v2] virtio_net: missing sg_init_table
Next: [RFC] alpha: hack objstrip.c to make it compile.
From: wzt.wzt on 29 Mar 2010 21:30
elevator_get() not check the name length, if the name length > sizeof(elv),
elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
like aaaaaaaaa, then call request_module() can load an not trust module.

Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>

---
block/elevator.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/elevator.c b/block/elevator.c
index df75676..76e3702 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)

spin_unlock(&elv_list_lock);

- sprintf(elv, "%s-iosched", name);
+ snprintf(elv, sizeof(elv), "%s-iosched", name);

request_module("%s", elv);
spin_lock(&elv_list_lock);
--
1.6.5.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [PATCH next-next-2.6 v2] virtio_net: missing sg_init_table
Next: [RFC] alpha: hack objstrip.c to make it compile.