• Dan Carpenter's avatar
    net/sched: potential data corruption · 0eff683f
    Dan Carpenter authored
    The reset_policy() does:
            memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
            strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
    
    In the original code, the size of d->tcfd_defdata wasn't fixed and if
    strlen(defdata) was less than 31, reset_policy() would cause memory
    corruption.
    
    Please Note:  The original alloc_defdata() assumes defdata is 32
    characters and a NUL terminator while reset_policy() assumes defdata is
    31 characters and a NUL.  This patch updates alloc_defdata() to match
    reset_policy() (ie a shorter string).  I'm not very familiar with this
    code so please review carefully.
    Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
    Acked-by: default avatarJamal Hadi Salim <hadi@cyberus.ca>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    0eff683f
act_simple.c 5.18 KB