• R
    net: core: improve sanity checking in __dev_alloc_name · 51f299dd
    Rasmus Villemoes 提交于
    __dev_alloc_name is called from the public (and exported)
    dev_alloc_name(), so we don't have a guarantee that strlen(name) is at
    most IFNAMSIZ. If somebody manages to get __dev_alloc_name called with a
    % char beyond the 31st character, we'd be making a snprintf() call that
    will very easily crash the kernel (using an appropriate %p extension,
    we'll likely dereference some completely bogus pointer).
    
    In the normal case where strlen() is sane, we don't even save anything
    by limiting to IFNAMSIZ, so just use strchr().
    Signed-off-by: NRasmus Villemoes <linux@rasmusvillemoes.dk>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    51f299dd
dev.c 220.1 KB