From: Bo Yan <[email protected]>
The strlcpy function returns the length of source pointer when the
requested size is 0. This behavior is relied upon for sched tracing.
We can't simply return when buf is 0, but we have to protect against the
scenario when buf is 0 and requested size is non-zero, in which case the
strlcpy would lead to illegal memory access.
This issue is reported by coverity as strlcpy might end up using a NULL
buffer and non-zero buf_length value.
To avoid this, add check and return -EINVAL in this case.
Signed-off-by: Bo Yan <[email protected]>
Signed-off-by: Ashish Mhetre <[email protected]>
---
fs/kernfs/dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 4ca0b5c..76c85a5 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -129,6 +129,9 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to,
size_t depth_from, depth_to, len = 0;
int i, j;
+ if (WARN_ON(!buf && buflen > 0))
+ return -EINVAL;
+
if (!kn_to)
return strlcpy(buf, "(null)", buflen);
--
2.7.4