From 05d690e0ebecef7bf72be69ba2c4702f7b80a23c Mon Sep 17 00:00:00 2001 From: =?utf8?q?=C5=81ukasz=20Stelmach?= Date: Fri, 9 Apr 2021 17:20:07 +0200 Subject: [PATCH] logger: fix temporary buffer handling MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Prevent writing beyond temporary buffer and improve accumulation of data before receiving a newline character or filling the buffer. Change-Id: I8e0591c90914dbd4c2addde4247157831fa4843a Signed-off-by: Łukasz Stelmach --- drivers/staging/android/logger.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/staging/android/logger.c b/drivers/staging/android/logger.c index 67608e0ed421..680ec1ad1650 100644 --- a/drivers/staging/android/logger.c +++ b/drivers/staging/android/logger.c @@ -593,6 +593,7 @@ static ssize_t logger_write_iter(struct kiocb *iocb, struct iov_iter *from) if (from_stdio) { char *p; size_t chunk_len = 0; + /* -2 : priority byte and tag terminating '\0' */ size_t max_payload = LOGGER_ENTRY_MAX_PAYLOAD - writer->tag_len - 2; if (writer->owner != current->group_leader) { @@ -623,7 +624,9 @@ static ssize_t logger_write_iter(struct kiocb *iocb, struct iov_iter *from) if (writer->b_owner != current && writer->b_off) flush_thread_data(file); - count = min_t(size_t, iov_iter_count(from), max_payload - 1); + /* -1 : leave space for message terminating '\0' */ + count = min_t(size_t, iov_iter_count(from), + max_payload - writer->b_off - 1); do { @@ -638,8 +641,16 @@ static ssize_t logger_write_iter(struct kiocb *iocb, struct iov_iter *from) *p++ = '\0'; chunk_len = p - writer->buffer; } else { - writer->buffer[count++] = '\0'; - chunk_len = count; + writer->buffer[writer->b_off + count++] = '\0'; + p = &writer->buffer[writer->b_off + count]; + chunk_len = p - writer->buffer; + + BUG_ON(chunk_len > max_payload); + if (chunk_len < max_payload ) { + writer->b_off = writer->b_off + count - 1; + continue; + } + } header.len = chunk_len + writer->tag_len + 2; -- 2.34.1