sysctl: fix null checking in bin_dn_node_address()
authorXi Wang <xi.wang@gmail.com>
Thu, 28 Feb 2013 01:05:21 +0000 (17:05 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 28 Feb 2013 03:10:21 +0000 (19:10 -0800)
The null check of `strchr() + 1' is broken, which is always non-null,
leading to OOB read.  Instead, check the result of strchr().

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/sysctl_binary.c

index b25115e8c7f36f9fe6750ea586031f3ad81ffec8..ebf72358e86aec33c270edd7e8167789fea59ff9 100644 (file)
@@ -1171,9 +1171,10 @@ static ssize_t bin_dn_node_address(struct file *file,
 
                /* Convert the decnet address to binary */
                result = -EIO;
-               nodep = strchr(buf, '.') + 1;
+               nodep = strchr(buf, '.');
                if (!nodep)
                        goto out;
+               ++nodep;
 
                area = simple_strtoul(buf, NULL, 10);
                node = simple_strtoul(nodep, NULL, 10);