aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTejun Heo <htejun@gmail.com>2005-11-10 02:55:01 -0500
committerJens Axboe <axboe@nelson.home.kernel.dk>2005-11-12 04:56:21 -0500
commitbe56123568072d223263a6a70a087d1e7faabb83 (patch)
treee6044bff3c9dba3392dfe1a4b172d87081d55334
parent15853af9f07673680439b224519c692f1352b959 (diff)
[BLOCK] fix string handling in elv_iosched_store
elv_iosched_store doesn't terminate string passed from userspace if it's too long. Also, if the written length is zero (probably not possible), it accesses elevator_name[-1]. This patch fixes both bugs. Signed-off-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Jens Axboe <axboe@suse.de>
-rw-r--r--block/elevator.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/block/elevator.c b/block/elevator.c
index 73aa46b6db49..cacfff7418e4 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -762,13 +762,15 @@ error:
762ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) 762ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count)
763{ 763{
764 char elevator_name[ELV_NAME_MAX]; 764 char elevator_name[ELV_NAME_MAX];
765 size_t len;
765 struct elevator_type *e; 766 struct elevator_type *e;
766 767
767 memset(elevator_name, 0, sizeof(elevator_name)); 768 elevator_name[sizeof(elevator_name) - 1] = '\0';
768 strncpy(elevator_name, name, sizeof(elevator_name)); 769 strncpy(elevator_name, name, sizeof(elevator_name) - 1);
770 len = strlen(elevator_name);
769 771
770 if (elevator_name[strlen(elevator_name) - 1] == '\n') 772 if (len && elevator_name[len - 1] == '\n')
771 elevator_name[strlen(elevator_name) - 1] = '\0'; 773 elevator_name[len - 1] = '\0';
772 774
773 e = elevator_get(elevator_name); 775 e = elevator_get(elevator_name);
774 if (!e) { 776 if (!e) {