aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArtem Bityutskiy <Artem.Bityutskiy@nokia.com>2008-07-13 14:46:24 -0400
committerArtem Bityutskiy <Artem.Bityutskiy@nokia.com>2008-07-24 06:32:56 -0400
commita6ea440769e11c46828cddd20f91ab57261701d5 (patch)
tree19994608d2721de6484310c60e4a3ff1414cb1ef
parenta5bf6190417cbbf80443a9f71c65b653e13e9982 (diff)
UBI: improve mkvol request validation
Check that volume name is not shorter than 'name_len'. No need to copy the trailing zero byte because whole array was zeroed earlier. Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
-rw-r--r--drivers/mtd/ubi/cdev.c7
-rw-r--r--drivers/mtd/ubi/vmt.c4
2 files changed, 7 insertions, 4 deletions
diff --git a/drivers/mtd/ubi/cdev.c b/drivers/mtd/ubi/cdev.c
index 3e3449ec07f..4fb84e3e650 100644
--- a/drivers/mtd/ubi/cdev.c
+++ b/drivers/mtd/ubi/cdev.c
@@ -574,6 +574,10 @@ static int verify_mkvol_req(const struct ubi_device *ubi,
574 goto bad; 574 goto bad;
575 } 575 }
576 576
577 n = strnlen(req->name, req->name_len + 1);
578 if (n != req->name_len)
579 goto bad;
580
577 return 0; 581 return 0;
578 582
579bad: 583bad:
@@ -629,12 +633,11 @@ static int ubi_cdev_ioctl(struct inode *inode, struct file *file,
629 break; 633 break;
630 } 634 }
631 635
636 req.name[req.name_len] = '\0';
632 err = verify_mkvol_req(ubi, &req); 637 err = verify_mkvol_req(ubi, &req);
633 if (err) 638 if (err)
634 break; 639 break;
635 640
636 req.name[req.name_len] = '\0';
637
638 mutex_lock(&ubi->volumes_mutex); 641 mutex_lock(&ubi->volumes_mutex);
639 err = ubi_create_volume(ubi, &req); 642 err = ubi_create_volume(ubi, &req);
640 mutex_unlock(&ubi->volumes_mutex); 643 mutex_unlock(&ubi->volumes_mutex);
diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
index 367b04176e0..bfa7c5d2e06 100644
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -275,7 +275,7 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
275 vol->data_pad = ubi->leb_size % vol->alignment; 275 vol->data_pad = ubi->leb_size % vol->alignment;
276 vol->vol_type = req->vol_type; 276 vol->vol_type = req->vol_type;
277 vol->name_len = req->name_len; 277 vol->name_len = req->name_len;
278 memcpy(vol->name, req->name, vol->name_len + 1); 278 memcpy(vol->name, req->name, vol->name_len);
279 vol->ubi = ubi; 279 vol->ubi = ubi;
280 280
281 /* 281 /*
@@ -350,7 +350,7 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
350 vtbl_rec.vol_type = UBI_VID_DYNAMIC; 350 vtbl_rec.vol_type = UBI_VID_DYNAMIC;
351 else 351 else
352 vtbl_rec.vol_type = UBI_VID_STATIC; 352 vtbl_rec.vol_type = UBI_VID_STATIC;
353 memcpy(vtbl_rec.name, vol->name, vol->name_len + 1); 353 memcpy(vtbl_rec.name, vol->name, vol->name_len);
354 354
355 err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec); 355 err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
356 if (err) 356 if (err)