diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-31 20:00:29 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-31 20:00:29 -0500 |
| commit | de9e007d9105bf8fa613a89810feff32a43add03 (patch) | |
| tree | ef7805d1e03e8648fbaca3713d1a749c27770339 | |
| parent | 35f349ee082de0be45eb23926d9fc7569f5011f0 (diff) | |
sysctl: make sure to terminate strings with a NUL
This is a slightly more complete fix for the previous minimal sysctl
string fix. It always terminates the returned string with a NUL, even
if the full result wouldn't fit in the user-supplied buffer.
The returned length is the full untruncated length, so that you can
tell when truncation has occurred.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| -rw-r--r-- | kernel/sysctl.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e5102ea6e104..b53115b882e1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
| @@ -2192,27 +2192,32 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, | |||
| 2192 | void __user *oldval, size_t __user *oldlenp, | 2192 | void __user *oldval, size_t __user *oldlenp, |
| 2193 | void __user *newval, size_t newlen, void **context) | 2193 | void __user *newval, size_t newlen, void **context) |
| 2194 | { | 2194 | { |
| 2195 | size_t l, len; | ||
| 2196 | |||
| 2197 | if (!table->data || !table->maxlen) | 2195 | if (!table->data || !table->maxlen) |
| 2198 | return -ENOTDIR; | 2196 | return -ENOTDIR; |
| 2199 | 2197 | ||
| 2200 | if (oldval && oldlenp) { | 2198 | if (oldval && oldlenp) { |
| 2201 | if (get_user(len, oldlenp)) | 2199 | size_t bufsize; |
| 2200 | if (get_user(bufsize, oldlenp)) | ||
| 2202 | return -EFAULT; | 2201 | return -EFAULT; |
| 2203 | if (len) { | 2202 | if (bufsize) { |
| 2204 | l = strlen(table->data)+1; | 2203 | size_t len = strlen(table->data), copied; |
| 2205 | if (len > l) len = l; | 2204 | |
| 2206 | if (len >= table->maxlen) | 2205 | /* This shouldn't trigger for a well-formed sysctl */ |
| 2206 | if (len > table->maxlen) | ||
| 2207 | len = table->maxlen; | 2207 | len = table->maxlen; |
| 2208 | if(copy_to_user(oldval, table->data, len)) | 2208 | |
| 2209 | /* Copy up to a max of bufsize-1 bytes of the string */ | ||
| 2210 | copied = (len >= bufsize) ? bufsize - 1 : len; | ||
| 2211 | |||
| 2212 | if (copy_to_user(oldval, table->data, copied) || | ||
| 2213 | put_user(0, (char __user *)(oldval + copied))) | ||
| 2209 | return -EFAULT; | 2214 | return -EFAULT; |
| 2210 | if(put_user(len, oldlenp)) | 2215 | if (put_user(len, oldlenp)) |
| 2211 | return -EFAULT; | 2216 | return -EFAULT; |
| 2212 | } | 2217 | } |
| 2213 | } | 2218 | } |
| 2214 | if (newval && newlen) { | 2219 | if (newval && newlen) { |
| 2215 | len = newlen; | 2220 | size_t len = newlen; |
| 2216 | if (len > table->maxlen) | 2221 | if (len > table->maxlen) |
| 2217 | len = table->maxlen; | 2222 | len = table->maxlen; |
| 2218 | if(copy_from_user(table->data, newval, len)) | 2223 | if(copy_from_user(table->data, newval, len)) |