diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-31 20:00:29 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-12-31 20:00:29 -0500 |
commit | de9e007d9105bf8fa613a89810feff32a43add03 (patch) | |
tree | ef7805d1e03e8648fbaca3713d1a749c27770339 /kernel | |
parent | 35f349ee082de0be45eb23926d9fc7569f5011f0 (diff) |
sysctl: make sure to terminate strings with a NUL
This is a slightly more complete fix for the previous minimal sysctl
string fix. It always terminates the returned string with a NUL, even
if the full result wouldn't fit in the user-supplied buffer.
The returned length is the full untruncated length, so that you can
tell when truncation has occurred.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/sysctl.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e5102ea6e104..b53115b882e1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
@@ -2192,27 +2192,32 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, | |||
2192 | void __user *oldval, size_t __user *oldlenp, | 2192 | void __user *oldval, size_t __user *oldlenp, |
2193 | void __user *newval, size_t newlen, void **context) | 2193 | void __user *newval, size_t newlen, void **context) |
2194 | { | 2194 | { |
2195 | size_t l, len; | ||
2196 | |||
2197 | if (!table->data || !table->maxlen) | 2195 | if (!table->data || !table->maxlen) |
2198 | return -ENOTDIR; | 2196 | return -ENOTDIR; |
2199 | 2197 | ||
2200 | if (oldval && oldlenp) { | 2198 | if (oldval && oldlenp) { |
2201 | if (get_user(len, oldlenp)) | 2199 | size_t bufsize; |
2200 | if (get_user(bufsize, oldlenp)) | ||
2202 | return -EFAULT; | 2201 | return -EFAULT; |
2203 | if (len) { | 2202 | if (bufsize) { |
2204 | l = strlen(table->data)+1; | 2203 | size_t len = strlen(table->data), copied; |
2205 | if (len > l) len = l; | 2204 | |
2206 | if (len >= table->maxlen) | 2205 | /* This shouldn't trigger for a well-formed sysctl */ |
2206 | if (len > table->maxlen) | ||
2207 | len = table->maxlen; | 2207 | len = table->maxlen; |
2208 | if(copy_to_user(oldval, table->data, len)) | 2208 | |
2209 | /* Copy up to a max of bufsize-1 bytes of the string */ | ||
2210 | copied = (len >= bufsize) ? bufsize - 1 : len; | ||
2211 | |||
2212 | if (copy_to_user(oldval, table->data, copied) || | ||
2213 | put_user(0, (char __user *)(oldval + copied))) | ||
2209 | return -EFAULT; | 2214 | return -EFAULT; |
2210 | if(put_user(len, oldlenp)) | 2215 | if (put_user(len, oldlenp)) |
2211 | return -EFAULT; | 2216 | return -EFAULT; |
2212 | } | 2217 | } |
2213 | } | 2218 | } |
2214 | if (newval && newlen) { | 2219 | if (newval && newlen) { |
2215 | len = newlen; | 2220 | size_t len = newlen; |
2216 | if (len > table->maxlen) | 2221 | if (len > table->maxlen) |
2217 | len = table->maxlen; | 2222 | len = table->maxlen; |
2218 | if(copy_from_user(table->data, newval, len)) | 2223 | if(copy_from_user(table->data, newval, len)) |