Commit 991a2519 authored by H. Peter Anvin's avatar H. Peter Anvin Committed by Greg Kroah-Hartman

termios, tty/tty_baudrate.c: fix buffer overrun

On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
not do any limit checking on the tty_baudrate[] array, and in fact a
buffer overrun is possible on both architectures. Add a limit check to
prevent that situation.

This will be followed by a much bigger cleanup/simplification patch.
Signed-off-by: default avatarH. Peter Anvin (Intel) <hpa@zytor.com>
Requested-by: default avatarCc: Johan Hovold <johan@kernel.org>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 943210ba
...@@ -77,7 +77,7 @@ speed_t tty_termios_baud_rate(struct ktermios *termios) ...@@ -77,7 +77,7 @@ speed_t tty_termios_baud_rate(struct ktermios *termios)
else else
cbaud += 15; cbaud += 15;
} }
return baud_table[cbaud]; return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
} }
EXPORT_SYMBOL(tty_termios_baud_rate); EXPORT_SYMBOL(tty_termios_baud_rate);
...@@ -113,7 +113,7 @@ speed_t tty_termios_input_baud_rate(struct ktermios *termios) ...@@ -113,7 +113,7 @@ speed_t tty_termios_input_baud_rate(struct ktermios *termios)
else else
cbaud += 15; cbaud += 15;
} }
return baud_table[cbaud]; return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
#else /* IBSHIFT */ #else /* IBSHIFT */
return tty_termios_baud_rate(termios); return tty_termios_baud_rate(termios);
#endif /* IBSHIFT */ #endif /* IBSHIFT */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment