Re: [PATCH 4/8] staging: unisys: move chipsetready to sysfs

Sat, 19 Jul 2014 12:58:26 -0700 

On Sat, Jul 19, 2014 at 10:26:57AM -0400, Benjamin Romer wrote:
> +ssize_t store_chipsetready(struct device *dev, struct device_attribute *attr,
> +             const char *buf, size_t count)
>  {
> -     char buf[512];
> -     char *token, *p;
> -
> -     if (count > sizeof(buf) - 1) {
> -             LOGERR("chipset_proc_write: count (%d) exceeds size of buffer 
> (%d)",
> -                  (int) count, (int) sizeof(buffer));
> -             return -EINVAL;
> -     }
> -     if (copy_from_user(buf, buffer, count)) {
> -             LOGERR("chipset_proc_write: copy_from_user failed");
> -             return -EFAULT;
> -     }
> -     buf[count] = '\0';
> -
> -     p = buf;
> -     token = gettoken(&p);
> -
> -     if (strcmp(token, "CALLHOMEDISK_MOUNTED") == 0) {
> -             token = gettoken(&p);
> -             /* The Call Home Disk has been mounted */
> -             if (strcmp(token, "0") == 0)
> -                     chipset_events[0] = 1;
> -     } else if (strcmp(token, "MODULES_LOADED") == 0) {
> -             token = gettoken(&p);
> -             /* All modules for the partition have been loaded */
> -             if (strcmp(token, "0") == 0)
> -                     chipset_events[1] = 1;
> -     } else if (token == NULL) {
> -             /* No event specified */
> -             LOGERR("No event was specified to send CHIPSET_READY response");
> -             return -1;
> +     char msgtype[64];
> +     int msgparam;
> +
> +     if (sscanf(buf, "%63s %d", msgtype, &msgparam) == 2) {
> +             if (strcmp(msgtype, "CALLHOMEDISK_MOUNTED") == 0) {
> +                     /* The Call Home Disk has been mounted */
> +                     if (msgparam == 0)
> +                             chipset_events[0] = 1;
> +             } else if (strcmp(msgtype, "MODULES_LOADED") == 0) {
> +                     /* All modules for the partition have been loaded */
> +                     if (msgparam == 0)
> +                             chipset_events[1] = 1;
> +             } else {
> +                     /* Unsupported event specified */
> +                     LOGERR("%s is an invalid event for sending 
> CHIPSET_READY response",
> +                             msgtype);
> +                     return -1;
> +             }
>       } else {
> -             /* Unsupported event specified */
> -             LOGERR("%s is an invalid event for sending CHIPSET_READY 
> response",                  token);
> +             LOGERR("malformed input to chipsetready attribute");
>               return -1;

How nice, a simple way to create a DoS in the kernel log by just writing
odd data to a sysfs file :(

Also, don't make up error numbers that you are returning to userspace,
-1 is not a valid one for what you mean here.  Or I really don't know
what you mean...

thanks,

greg k-h
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to