On 06/08/2014 01:42 AM, David Rientjes wrote:
dns_query() credulously assumes that keys are null-terminated and returns a copy of a memory block that is off by one.
No sign-off? Please read Documentation/SubmittingPatches.
--- net/dns_resolver/dns_query.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c index e7b6d53..84871a2 100644 --- a/net/dns_resolver/dns_query.c +++ b/net/dns_resolver/dns_query.c @@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, size_t namelen, len = upayload->datalen; ret = -ENOMEM; - *_result = kmalloc(len + 1, GFP_KERNEL); + *_result = kzalloc(len + 1, GFP_KERNEL); if (!*_result) goto put; - memcpy(*_result, upayload->data, len + 1); + memcpy(*_result, upayload->data, len); if (_expiry) *_expiry = rkey->expiry;
kzalloc() would be unnecessary overhead (zeroing definitely comes with a cost) if you're going to copy to the memory immediately afterwards. Just leave the kmalloc(), do the memcpy() and explicitly zero terminate it _result.
You can also replace kmalloc()/memcpy() with kmemdup(). WBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
