diff options
author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2009-10-29 10:04:11 -0400 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2009-10-29 10:05:12 -0400 |
commit | e8a79c9ec779168502402a8b834abf8cf38a325a (patch) | |
tree | 4d473feebe815ea3b76a21268e2642e748fb5e38 /drivers/s390 | |
parent | 4a0fb4c44573759f878fc65f6ddbd46080748f8b (diff) |
[S390] call home: fix string length handling
After copying uts->nodename to the static nodename array the static
version isn't necessarily zero termininated, since the size of the
array is one byte too short.
Afterwards doing strncat(data, nodename, strlen(nodename)); may copy
an arbitrary large amount of bytes.
Fix this by getting rid of the static array and using strncat with
proper length limit.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/char/sclp_async.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c index 3c20aa131180..b44462a6c6d3 100644 --- a/drivers/s390/char/sclp_async.c +++ b/drivers/s390/char/sclp_async.c | |||
@@ -26,7 +26,6 @@ static struct sclp_async_sccb *sccb; | |||
26 | static int sclp_async_send_wait(char *message); | 26 | static int sclp_async_send_wait(char *message); |
27 | static struct ctl_table_header *callhome_sysctl_header; | 27 | static struct ctl_table_header *callhome_sysctl_header; |
28 | static DEFINE_SPINLOCK(sclp_async_lock); | 28 | static DEFINE_SPINLOCK(sclp_async_lock); |
29 | static char nodename[64]; | ||
30 | #define SCLP_NORMAL_WRITE 0x00 | 29 | #define SCLP_NORMAL_WRITE 0x00 |
31 | 30 | ||
32 | struct async_evbuf { | 31 | struct async_evbuf { |
@@ -52,9 +51,10 @@ static struct sclp_register sclp_async_register = { | |||
52 | static int call_home_on_panic(struct notifier_block *self, | 51 | static int call_home_on_panic(struct notifier_block *self, |
53 | unsigned long event, void *data) | 52 | unsigned long event, void *data) |
54 | { | 53 | { |
55 | strncat(data, nodename, strlen(nodename)); | 54 | strncat(data, init_utsname()->nodename, |
56 | sclp_async_send_wait(data); | 55 | sizeof(init_utsname()->nodename)); |
57 | return NOTIFY_DONE; | 56 | sclp_async_send_wait(data); |
57 | return NOTIFY_DONE; | ||
58 | } | 58 | } |
59 | 59 | ||
60 | static struct notifier_block call_home_panic_nb = { | 60 | static struct notifier_block call_home_panic_nb = { |
@@ -183,10 +183,8 @@ static int __init sclp_async_init(void) | |||
183 | goto out_mem; | 183 | goto out_mem; |
184 | rc = atomic_notifier_chain_register(&panic_notifier_list, | 184 | rc = atomic_notifier_chain_register(&panic_notifier_list, |
185 | &call_home_panic_nb); | 185 | &call_home_panic_nb); |
186 | if (rc) | 186 | if (!rc) |
187 | goto out_mem; | 187 | goto out; |
188 | strncpy(nodename, init_utsname()->nodename, 64); | ||
189 | goto out; | ||
190 | out_mem: | 188 | out_mem: |
191 | kfree(request); | 189 | kfree(request); |
192 | free_page((unsigned long) sccb); | 190 | free_page((unsigned long) sccb); |