From: Tejun Heo Date: Thu, 10 Nov 2005 07:55:01 +0000 (+0100) Subject: [BLOCK] fix string handling in elv_iosched_store X-Git-Tag: v2.6.15-rc2~226 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be56123568072d223263a6a70a087d1e7faabb83;p=linux-2.6 [BLOCK] fix string handling in elv_iosched_store elv_iosched_store doesn't terminate string passed from userspace if it's too long. Also, if the written length is zero (probably not possible), it accesses elevator_name[-1]. This patch fixes both bugs. Signed-off-by: Tejun Heo Signed-off-by: Jens Axboe --- diff --git a/block/elevator.c b/block/elevator.c index 73aa46b6db..cacfff7418 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -762,13 +762,15 @@ error: ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) { char elevator_name[ELV_NAME_MAX]; + size_t len; struct elevator_type *e; - memset(elevator_name, 0, sizeof(elevator_name)); - strncpy(elevator_name, name, sizeof(elevator_name)); + elevator_name[sizeof(elevator_name) - 1] = '\0'; + strncpy(elevator_name, name, sizeof(elevator_name) - 1); + len = strlen(elevator_name); - if (elevator_name[strlen(elevator_name) - 1] == '\n') - elevator_name[strlen(elevator_name) - 1] = '\0'; + if (len && elevator_name[len - 1] == '\n') + elevator_name[len - 1] = '\0'; e = elevator_get(elevator_name); if (!e) {