aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Williams <dan.j.williams@gmail.com>2008-09-25 01:48:19 -0400
committerNeilBrown <neilb@suse.de>2008-10-16 02:03:08 -0400
commit97ce0a7f9caf9d715cee815a016ee21575f71c95 (patch)
treeb35d4f84795a9b3f20a22faa43148a9c2c68d051
parent08ff39f1c8f2134f7d0f38123ca5952371665cc5 (diff)
md: fix input truncation in safe_delay_store()
safe_delay_store() currently truncates the last character of input since it tells strlcpy that the buffer can only hold 'len' characters, off by one. sysfs already null terminates the buffer, so just increase the last argument to strlcpy. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: NeilBrown <neilb@suse.de>
-rw-r--r--drivers/md/md.c8
1 files changed, 3 insertions, 5 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 39c9c87a1342..aaa3d465de4e 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2394,12 +2394,11 @@ safe_delay_store(mddev_t *mddev, const char *cbuf, size_t len)
2394 int i; 2394 int i;
2395 unsigned long msec; 2395 unsigned long msec;
2396 char buf[30]; 2396 char buf[30];
2397 char *e; 2397
2398 /* remove a period, and count digits after it */ 2398 /* remove a period, and count digits after it */
2399 if (len >= sizeof(buf)) 2399 if (len >= sizeof(buf))
2400 return -EINVAL; 2400 return -EINVAL;
2401 strlcpy(buf, cbuf, len); 2401 strlcpy(buf, cbuf, sizeof(buf));
2402 buf[len] = 0;
2403 for (i=0; i<len; i++) { 2402 for (i=0; i<len; i++) {
2404 if (dot) { 2403 if (dot) {
2405 if (isdigit(buf[i])) { 2404 if (isdigit(buf[i])) {
@@ -2412,8 +2411,7 @@ safe_delay_store(mddev_t *mddev, const char *cbuf, size_t len)
2412 buf[i] = 0; 2411 buf[i] = 0;
2413 } 2412 }
2414 } 2413 }
2415 msec = simple_strtoul(buf, &e, 10); 2414 if (strict_strtoul(buf, 10, &msec) < 0)
2416 if (e == buf || (*e && *e != '\n'))
2417 return -EINVAL; 2415 return -EINVAL;
2418 msec = (msec * 1000) / scale; 2416 msec = (msec * 1000) / scale;
2419 if (msec == 0) 2417 if (msec == 0)