mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 03:36:19 +00:00
sysctl: don't overflow the user-supplied buffer with '\0'
If the string was too long to fit in the user-supplied buffer, the sysctl layer would zero-terminate it by writing past the end of the buffer. Don't do that. Noticed by Yi Yang <yang.y.yi@gmail.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
8b90db0df7
commit
8febdd85ad
1 changed files with 1 additions and 3 deletions
|
@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
|
|||
if (get_user(len, oldlenp))
|
||||
return -EFAULT;
|
||||
if (len) {
|
||||
l = strlen(table->data);
|
||||
l = strlen(table->data)+1;
|
||||
if (len > l) len = l;
|
||||
if (len >= table->maxlen)
|
||||
len = table->maxlen;
|
||||
if(copy_to_user(oldval, table->data, len))
|
||||
return -EFAULT;
|
||||
if(put_user(0, ((char __user *) oldval) + len))
|
||||
return -EFAULT;
|
||||
if(put_user(len, oldlenp))
|
||||
return -EFAULT;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue