From: Alan <[email protected]>
Date: Mon, 19 Sep 2016 20:15:24 +0100
> Dmitry Vyukov wrote:
>> different runs). Looking at code, the following looks suspicious -- we
>> limit copy by 512 bytes, but use the original count which can be
>> larger than 512:
>>
>> static void sixpack_receive_buf(struct tty_struct *tty,
>> const unsigned char *cp, char *fp, int count)
>> {
>> unsigned char buf[512];
>> ....
>> memcpy(buf, cp, count < sizeof(buf) ? count : sizeof(buf));
>> ....
>> sixpack_decode(sp, buf, count1);
>
> With the sane tty locking we now have I believe the following is safe as
> we consume the bytes and move them into the decoded buffer before
> returning.
>
> Signed-off-by: Alan Cox <[email protected]>
Applied to net-next, thanks Alan.
