diff mbox

kconfig: Avoid buffer underrun in choice input

Message ID 1300508770.26693.73.camel@localhost (mailing list archive)
State New, archived
Headers show

Commit Message

Ben Hutchings March 19, 2011, 4:26 a.m. UTC 
None

Comments

Ben Hutchings April 7, 2011, 11:41 p.m. UTC | #1 
On Sat, 2011-03-19 at 04:26 +0000, Ben Hutchings wrote:
> commit 40aee729b350672c2550640622416a855e27938f ('kconfig: fix default
> value for choice input') fixed some cases where kconfig would select
> the wrong option from a choice with a single valid option and thus
> enter an infinite loop.
> 
> However, this broke the test for user input of the form 'N?', because
> when kconfig selects the single valid option the input is zero-length
> and the test will read the byte before the input buffer.  If this
> happens to contain '?' (as it will in a mips build on Debian unstable
> today) then kconfig again enters an infinite loop.

Please acknowledge this and send it upstream.

Ben.

> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: stable@kernel.org [2.6.17+]
> ---
>  scripts/kconfig/conf.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
> index 659326c..006ad81 100644
> --- a/scripts/kconfig/conf.c
> +++ b/scripts/kconfig/conf.c
> @@ -332,7 +332,7 @@ static int conf_choice(struct menu *menu)
>  		}
>  		if (!child)
>  			continue;
> -		if (line[strlen(line) - 1] == '?') {
> +		if (line[0] && line[strlen(line) - 1] == '?') {
>  			print_help(child);
>  			continue;
>  		}
Michal Marek April 8, 2011, 11:20 a.m. UTC | #2 
On Sat, Mar 19, 2011 at 04:26:10AM +0000, Ben Hutchings wrote:
> commit 40aee729b350672c2550640622416a855e27938f ('kconfig: fix default
> value for choice input') fixed some cases where kconfig would select
> the wrong option from a choice with a single valid option and thus
> enter an infinite loop.
> 
> However, this broke the test for user input of the form 'N?', because
> when kconfig selects the single valid option the input is zero-length
> and the test will read the byte before the input buffer.  If this
> happens to contain '?' (as it will in a mips build on Debian unstable
> today) then kconfig again enters an infinite loop.
> 
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: stable@kernel.org [2.6.17+]
> ---
>  scripts/kconfig/conf.c |    2 +-

Applied to kbuild-2.6.git#kconfig, thanks.

Michal
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
index 659326c..006ad81 100644
--- a/scripts/kconfig/conf.c
+++ b/scripts/kconfig/conf.c
@@ -332,7 +332,7 @@  static int conf_choice(struct menu *menu)
 		}
 		if (!child)
 			continue;
-		if (line[strlen(line) - 1] == '?') {
+		if (line[0] && line[strlen(line) - 1] == '?') {
 			print_help(child);
 			continue;
 		}