diff options
author | Tejun Heo <htejun@gmail.com> | 2005-11-10 02:55:01 -0500 |
---|---|---|
committer | Jens Axboe <axboe@nelson.home.kernel.dk> | 2005-11-12 04:56:21 -0500 |
commit | be56123568072d223263a6a70a087d1e7faabb83 (patch) | |
tree | e6044bff3c9dba3392dfe1a4b172d87081d55334 | |
parent | 15853af9f07673680439b224519c692f1352b959 (diff) |
[BLOCK] fix string handling in elv_iosched_store
elv_iosched_store doesn't terminate string passed from userspace if
it's too long. Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1]. This patch fixes both bugs.
Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jens Axboe <axboe@suse.de>
-rw-r--r-- | block/elevator.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/block/elevator.c b/block/elevator.c index 73aa46b6db49..cacfff7418e4 100644 --- a/block/elevator.c +++ b/block/elevator.c | |||
@@ -762,13 +762,15 @@ error: | |||
762 | ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) | 762 | ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) |
763 | { | 763 | { |
764 | char elevator_name[ELV_NAME_MAX]; | 764 | char elevator_name[ELV_NAME_MAX]; |
765 | size_t len; | ||
765 | struct elevator_type *e; | 766 | struct elevator_type *e; |
766 | 767 | ||
767 | memset(elevator_name, 0, sizeof(elevator_name)); | 768 | elevator_name[sizeof(elevator_name) - 1] = '\0'; |
768 | strncpy(elevator_name, name, sizeof(elevator_name)); | 769 | strncpy(elevator_name, name, sizeof(elevator_name) - 1); |
770 | len = strlen(elevator_name); | ||
769 | 771 | ||
770 | if (elevator_name[strlen(elevator_name) - 1] == '\n') | 772 | if (len && elevator_name[len - 1] == '\n') |
771 | elevator_name[strlen(elevator_name) - 1] = '\0'; | 773 | elevator_name[len - 1] = '\0'; |
772 | 774 | ||
773 | e = elevator_get(elevator_name); | 775 | e = elevator_get(elevator_name); |
774 | if (!e) { | 776 | if (!e) { |