diff options
| author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2009-10-29 10:04:11 -0400 |
|---|---|---|
| committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2009-10-29 10:05:12 -0400 |
| commit | e8a79c9ec779168502402a8b834abf8cf38a325a (patch) | |
| tree | 4d473feebe815ea3b76a21268e2642e748fb5e38 /drivers | |
| parent | 4a0fb4c44573759f878fc65f6ddbd46080748f8b (diff) | |
[S390] call home: fix string length handling
After copying uts->nodename to the static nodename array the static
version isn't necessarily zero termininated, since the size of the
array is one byte too short.
Afterwards doing strncat(data, nodename, strlen(nodename)); may copy
an arbitrary large amount of bytes.
Fix this by getting rid of the static array and using strncat with
proper length limit.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/s390/char/sclp_async.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c index 3c20aa13118..b44462a6c6d 100644 --- a/drivers/s390/char/sclp_async.c +++ b/drivers/s390/char/sclp_async.c | |||
| @@ -26,7 +26,6 @@ static struct sclp_async_sccb *sccb; | |||
| 26 | static int sclp_async_send_wait(char *message); | 26 | static int sclp_async_send_wait(char *message); |
| 27 | static struct ctl_table_header *callhome_sysctl_header; | 27 | static struct ctl_table_header *callhome_sysctl_header; |
| 28 | static DEFINE_SPINLOCK(sclp_async_lock); | 28 | static DEFINE_SPINLOCK(sclp_async_lock); |
| 29 | static char nodename[64]; | ||
| 30 | #define SCLP_NORMAL_WRITE 0x00 | 29 | #define SCLP_NORMAL_WRITE 0x00 |
| 31 | 30 | ||
| 32 | struct async_evbuf { | 31 | struct async_evbuf { |
| @@ -52,9 +51,10 @@ static struct sclp_register sclp_async_register = { | |||
| 52 | static int call_home_on_panic(struct notifier_block *self, | 51 | static int call_home_on_panic(struct notifier_block *self, |
| 53 | unsigned long event, void *data) | 52 | unsigned long event, void *data) |
| 54 | { | 53 | { |
| 55 | strncat(data, nodename, strlen(nodename)); | 54 | strncat(data, init_utsname()->nodename, |
| 56 | sclp_async_send_wait(data); | 55 | sizeof(init_utsname()->nodename)); |
| 57 | return NOTIFY_DONE; | 56 | sclp_async_send_wait(data); |
| 57 | return NOTIFY_DONE; | ||
| 58 | } | 58 | } |
| 59 | 59 | ||
| 60 | static struct notifier_block call_home_panic_nb = { | 60 | static struct notifier_block call_home_panic_nb = { |
| @@ -183,10 +183,8 @@ static int __init sclp_async_init(void) | |||
| 183 | goto out_mem; | 183 | goto out_mem; |
| 184 | rc = atomic_notifier_chain_register(&panic_notifier_list, | 184 | rc = atomic_notifier_chain_register(&panic_notifier_list, |
| 185 | &call_home_panic_nb); | 185 | &call_home_panic_nb); |
| 186 | if (rc) | 186 | if (!rc) |
| 187 | goto out_mem; | 187 | goto out; |
| 188 | strncpy(nodename, init_utsname()->nodename, 64); | ||
| 189 | goto out; | ||
| 190 | out_mem: | 188 | out_mem: |
| 191 | kfree(request); | 189 | kfree(request); |
| 192 | free_page((unsigned long) sccb); | 190 | free_page((unsigned long) sccb); |