lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sysctl: don't overflow the user-supplied buffer with '\0'

Browse Source 
If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi@gmail.com>

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Linus Torvalds
2005-12-30 17:18:53 -08:00
parent 8b90db0df7
commit 8febdd85ad
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kernel/sysctl.c
View File

@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
if (get_user(len, oldlenp)) if (get_user(len, oldlenp))
return -EFAULT; return -EFAULT;
if (len) { if (len) {
l = strlen(table->data); l = strlen(table->data)+1;
if (len > l) len = l; if (len > l) len = l;
if (len >= table->maxlen) if (len >= table->maxlen)
len = table->maxlen; len = table->maxlen;
if(copy_to_user(oldval, table->data, len)) if(copy_to_user(oldval, table->data, len))
return -EFAULT; return -EFAULT;
if(put_user(0, ((char __user *) oldval) + len))
return -EFAULT;
if(put_user(len, oldlenp)) if(put_user(len, oldlenp))
return -EFAULT; return -EFAULT;
} }