Looking at fs/ncpfs/ioctl.c (latest 2.4 bk tree), I seem to see a place
where we use userspace-pointers directly (And eventually doing kfree on
these). In NCP_IOC_SETOBJECTNAME handler, we allocated space (newname
pointer), copy stuff from userspace to there and then assign userspace
pointer to our internal structure, whoops! Or am I missing something?
Seems that following patch is needed. (Same problem is present in 2.5
and same patch should apply)
Found with help of smatch + enhanced unfree script.
Bye,
Oleg
===== fs/ncpfs/ioctl.c 1.3 vs edited =====
--- 1.3/fs/ncpfs/ioctl.c Mon Sep 9 22:36:07 2002
+++ edited/fs/ncpfs/ioctl.c Sun Mar 9 23:23:12 2003
@@ -434,7 +434,7 @@
oldprivatelen = server->priv.len;
server->auth.auth_type = user.auth_type;
server->auth.object_name_len = user.object_name_len;
- server->auth.object_name = user.object_name;
+ server->auth.object_name = newname;
server->priv.len = 0;
server->priv.data = NULL;
/* leave critical section */
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/