1 files changed, 16 insertions, 13 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9990e10192e8..b53115b882e1 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2192,29 +2192,32 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
                  void __user *oldval, size_t __user *oldlenp,
                  void __user *newval, size_t newlen, void **context)
 {
-        size_t l, len;
-        
        if (!table->data || !table->maxlen) 
                return -ENOTDIR;
        
        if (oldval && oldlenp) {
-                if (get_user(len, oldlenp))
+                size_t bufsize;
+                if (get_user(bufsize, oldlenp))
                        return -EFAULT;
-                if (len) {
+                if (bufsize) {
-                        l = strlen(table->data);
+                        size_t len = strlen(table->data), copied;
-                        if (len > l) len = l;
-                        if (len >= table->maxlen)
+                        /* This shouldn't trigger for a well-formed sysctl */
+                        if (len > table->maxlen)
                                len = table->maxlen;
-                        if(copy_to_user(oldval, table->data, len))
-                                return -EFAULT;
+                        /* Copy up to a max of bufsize-1 bytes of the string */
-                        if(put_user(0, ((char __user *) oldval) + len))
+                        copied = (len >= bufsize) ? bufsize - 1 : len;
+                        if (copy_to_user(oldval, table->data, copied) ||
+                            put_user(0, (char __user *)(oldval + copied)))
                                return -EFAULT;
-                        if(put_user(len, oldlenp))
+                        if (put_user(len, oldlenp))
                                return -EFAULT;
                }
        }
        if (newval && newlen) {
-                len = newlen;
+                size_t len = newlen;
                if (len > table->maxlen)
                        len = table->maxlen;
                if(copy_from_user(table->data, newval, len))
@@ -2223,7 +2226,7 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
                        len--;
                ((char *) table->data)[len] = 0;
        }
-        return 0;
+        return 1;
 }
 /*

diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 9990e10192e8..b53115b882e1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c
@@ -2192,29 +2192,32 @@ int sysctl_string(ctl_table table, int __user name, int nlen,
2192	void __user oldval, size_t __user oldlenp,	2192	void __user oldval, size_t __user oldlenp,
2193	void __user newval, size_t newlen, void *context)	2193	void __user newval, size_t newlen, void *context)
2194	{	2194	{
2195	size_t l, len;
2196
2197	if (!table->data \|\| !table->maxlen)	2195	if (!table->data \|\| !table->maxlen)
2198	return -ENOTDIR;	2196	return -ENOTDIR;
2199		2197
2200	if (oldval && oldlenp) {	2198	if (oldval && oldlenp) {
2201	if (get_user(len, oldlenp))	2199	size_t bufsize;
		2200	if (get_user(bufsize, oldlenp))
2202	return -EFAULT;	2201	return -EFAULT;
2203	if (len) {	2202	if (bufsize) {
2204	l = strlen(table->data);	2203	size_t len = strlen(table->data), copied;
2205	if (len > l) len = l;	2204
2206	if (len >= table->maxlen)	2205	/* This shouldn't trigger for a well-formed sysctl */
		2206	if (len > table->maxlen)
2207	len = table->maxlen;	2207	len = table->maxlen;
2208	if(copy_to_user(oldval, table->data, len))	2208
2209	return -EFAULT;	2209	/* Copy up to a max of bufsize-1 bytes of the string */
2210	if(put_user(0, ((char __user *) oldval) + len))	2210	copied = (len >= bufsize) ? bufsize - 1 : len;
		2211
		2212	if (copy_to_user(oldval, table->data, copied) \|\|
		2213	put_user(0, (char __user *)(oldval + copied)))
2211	return -EFAULT;	2214	return -EFAULT;
2212	if(put_user(len, oldlenp))	2215	if (put_user(len, oldlenp))
2213	return -EFAULT;	2216	return -EFAULT;
2214	}	2217	}
2215	}	2218	}
2216	if (newval && newlen) {	2219	if (newval && newlen) {
2217	len = newlen;	2220	size_t len = newlen;
2218	if (len > table->maxlen)	2221	if (len > table->maxlen)
2219	len = table->maxlen;	2222	len = table->maxlen;
2220	if(copy_from_user(table->data, newval, len))	2223	if(copy_from_user(table->data, newval, len))
@@ -2223,7 +2226,7 @@ int sysctl_string(ctl_table table, int __user name, int nlen,
2223	len--;	2226	len--;
2224	((char *) table->data)[len] = 0;	2227	((char *) table->data)[len] = 0;
2225	}	2228	}
2226	return 0;	2229	return 1;
2227	}	2230	}
2228		2231
2229	/*	2232	/*