diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-30 20:18:53 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-30 20:18:53 -0500 |
| commit | 8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c (patch) | |
| tree | 2e1aaa5e4e68057a4e96a606e2ad0bcccedcd6df /kernel/sysctl.c | |
| parent | 8b90db0df7187a01fb7177f1f812123138f562cf (diff) | |
sysctl: don't overflow the user-supplied buffer with '\0'
If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.
Noticed by Yi Yang <yang.y.yi@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel/sysctl.c')
| -rw-r--r-- | kernel/sysctl.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 9990e10192e8..ad0425a8f709 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
| @@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, | |||
| 2201 | if (get_user(len, oldlenp)) | 2201 | if (get_user(len, oldlenp)) |
| 2202 | return -EFAULT; | 2202 | return -EFAULT; |
| 2203 | if (len) { | 2203 | if (len) { |
| 2204 | l = strlen(table->data); | 2204 | l = strlen(table->data)+1; |
| 2205 | if (len > l) len = l; | 2205 | if (len > l) len = l; |
| 2206 | if (len >= table->maxlen) | 2206 | if (len >= table->maxlen) |
| 2207 | len = table->maxlen; | 2207 | len = table->maxlen; |
| 2208 | if(copy_to_user(oldval, table->data, len)) | 2208 | if(copy_to_user(oldval, table->data, len)) |
| 2209 | return -EFAULT; | 2209 | return -EFAULT; |
| 2210 | if(put_user(0, ((char __user *) oldval) + len)) | ||
| 2211 | return -EFAULT; | ||
| 2212 | if(put_user(len, oldlenp)) | 2210 | if(put_user(len, oldlenp)) |
| 2213 | return -EFAULT; | 2211 | return -EFAULT; |
| 2214 | } | 2212 | } |